CVE-2025-35939MEDIUMCVSS 6.9KEVfixed in 5.7.5ยทfixed in 4.15.32025-05-07
CVE-2025-35939 [MEDIUM] CWE-472 Craft CMS stores user-provided content in session files
Craft CMS stores user-provided content in session files
Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could be accessed and executed, possibly using an independent vulnerability. Craft CMS redirects requests that require authentication to the login page and generates a session file on the server at '/var/lib/php/sessions'. Such session files are named 'se
cvelistv5