cbcvebase.
CVE-2025-68455
published 2026-01-05

CVE-2025-68455: Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated…

PriorityP351high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
0.81%
52.4th percentile
Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior. Note that attackers must have administrator access to the Craft Control Panel for this to work. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.

Affected

10 ranges
VendorProductVersion rangeFixed in
craftcmscms
craftcmscms
craftcmscms>= 4.0.0-RC1 < 4.16.174.16.17
craftcmscms>= 5.0.0-RC1 < 5.8.215.8.21
craftcmscraft_cms< 4.16.184.16.18
craftcmscraft_cms< 5.8.225.8.22
craftcmscraft_cms
craftcmscraft_cms
craftcmscraft_cms>= 4.0.0.1 < 4.16.174.16.17
craftcmscraft_cms>= 5.0.1 < 5.8.215.8.21

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.6HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
ghsa9.1CRITICAL
osv9.1CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.