CVE-2025-68456 — Exposure of Sensitive Information Through Data Queries in Craft CMS

CWE-202 — Exposure of Sensitive Information Through Data Queries CWE-770 — Allocation of Resources Without Limits or Throttling5 documents5 sources

Severity

7.0HIGHNVD

EPSS

0.2%

top 61.46%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Craftcms Craft CMS Craftcms CMS

Timeline

PublishedJan 5

Description

Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 3.0.0 through 4.16.16, unauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue. Craft 3 users should update to the latest Craft 4 and 5 releases, which include the fixes.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Packages3 packages

▶Packagistcraftcms/cms5.0.0-RC1 — 5.8.21+1

▶NVDcraftcms/craft_cms3.0.0 — 4.16.17+2

▶CVEListV5craftcms/cms>= 3.0.0, < 4.16.17, >= 5.0.0-RC1, < 5.8.21+1

Patches

Patch: github.com ↗

🔴Vulnerability Details

GHSA

Unauthenticated Craft CMS users can trigger a database backup↗2026-01-05

▶

OSV

Unauthenticated Craft CMS users can trigger a database backup↗2026-01-05

▶

CVEList

Unauthenticated Craft CMS users can trigger a database backup↗2026-01-05

▶

🕵️Threat Intelligence

Wiz

CVE-2025-68456 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶