CVE-2025-68456

216.73.216.226

· Published 05/01/2026 22:15 · Modified 06/01/2026 19:16

Labels: CVE-2025-68456 2026-01-05 CVE-2025-68456 CWE-202 [email protected]

Essential information

Published: 05/01/2026 22:15
Modified: 06/01/2026 19:16
Author: —
Creator: —
CVSS: 7.0 HIGH (v3) 7.0 HIGH (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 3.0.0 through 4.16.16, unauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue. Craft 3 users should update to the latest Craft 4 and 5 releases, which include the fixes.

NVD status

Status: Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
craft / craft	`cpe:2.3:a:craft:craft:5.0.0-RC1:5.8.20::::::`
craft / craft	`cpe:2.3:a:craft:craft:5.0.0-RC1-5.8.20:::::::*`
craft / craft	`cpe:2.3:a:craft:craft:3.0.0-4.16.16:::::::*`
craft / craft	`cpe:2.3:a:craft:craft:4.16.17:::::::*`
craft / craft	`cpe:2.3:a:craft:craft:5.8.21:::::::*`