← Back to CVEs

CVE-2025-68455

HIGH

7.2

Description

Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior. Note that attackers must have administrator access to the Craft Control Panel for this to work. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.

CVE Details

CVSS v3.1 Score7.2

SeverityHIGH

CVSS VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack VectorNETWORK

ComplexityLOW

Privileges RequiredHIGH

User InteractionNONE

Published1/5/2026

Last Modified1/12/2026

Sourcenvd

Honeypot Sightings0

Affected Products

craftcms:craft_cms

Weaknesses (CWE)

CWE-470

References

https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04(security-advisories@github.com)

https://github.com/craftcms/cms/commit/27f55886098b56c00ddc53b69239c9c9192252c7(security-advisories@github.com)

https://github.com/craftcms/cms/commit/6e608a1a5bfb36943f94f584b7548ca542a86fef(security-advisories@github.com)

https://github.com/craftcms/cms/commit/ec43c497edde0b2bf2e39a119cded2e55f9fe593(security-advisories@github.com)

https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5(security-advisories@github.com)

https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5(134c704f-9b21-4f2e-91b3-4a467353bcc0)

IOC Correlations

No correlations recorded

This product uses data from the NVD API but is not endorsed or certified by the NVD.