CVE-2025-68456 | THREATINT

Description

Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 3.0.0 through 4.16.16, unauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue. Craft 3 users should update to the latest Craft 4 and 5 releases, which include the fixes.

PUBLISHED Reserved 2025-12-17 | Published 2026-01-05 | Updated 2026-01-06 | Assigner GitHub_M

HIGH: 7.0CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P

Problem types

CWE-770: Allocation of Resources Without Limits or Throttling

CWE-202: Exposure of Sensitive Information Through Data Queries

Product status

>= 5.0.0-RC1, < 5.8.21

affected

>= 3.0.0, < 4.16.17

affected

References

github.com/...ms/cms/security/advisories/GHSA-v64r-7wg9-23pr exploit

github.com/...ms/cms/security/advisories/GHSA-v64r-7wg9-23pr

github.com/...ommit/f83d4e0c6b906743206b4747db4abf8164b8da39

github.com/craftcms/cms/blob/5.x/CHANGELOG.md

cve.org (CVE-2025-68456)

nvd.nist.gov (CVE-2025-68456)

Download JSON