CVE-2025-68455 — Unsafe Reflection in Craft CMS

CWE-470 — Unsafe Reflection8 documents5 sources

Severity

8.6HIGHNVD

GHSA9.1OSV9.1

EPSS

1.2%

top 21.27%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Craftcms Craft CMS Craftcms CMS

Timeline

PublishedJan 5

Latest updateFeb 9

Description

Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior. Note that attackers must have administrator access to the Craft Control Panel for this to work. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages3 packages

▶Packagistcraftcms/cms5.0.0-RC1 — 5.8.21+1

▶NVDcraftcms/craft_cms4.0.0.1 — 4.16.17+5

▶CVEListV5craftcms/cms4 versions+3

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

Craft has a potential authenticated Remote Code Execution via malicious attached Behavior↗2026-02-09

▶

OSV

Craft CMS vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior↗2026-01-05

▶

GHSA

Craft CMS vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior↗2026-01-05

▶

CVEList

Craft CMS vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior↗2026-01-05

▶

🕵️Threat Intelligence

Wiz

CVE-2026-25498 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2025-68455 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶