CVE-2025-68455

HIGH

Craftcms Craft Cms < 4.16.17 - Remote Code Execution

Title source: rule

Description

Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior. Note that attackers must have administrator access to the Craft Control Panel for this to work. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.

References (5)

Core 5

Core References

Exploit, Vendor Advisory x_refsource_confirm

https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5

Patch x_refsource_misc

https://github.com/craftcms/cms/commit/27f55886098b56c00ddc53b69239c9c9192252c7

View Patch ZIP pw:eip

Patch x_refsource_misc

https://github.com/craftcms/cms/commit/6e608a1a5bfb36943f94f584b7548ca542a86fef

View Patch ZIP pw:eip

Patch x_refsource_misc

https://github.com/craftcms/cms/commit/ec43c497edde0b2bf2e39a119cded2e55f9fe593

View Patch ZIP pw:eip

Product, Release Notes x_refsource_misc

https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04

View Writeup ZIP pw:eip

Scores

CVSS v3 7.2

EPSS 0.0118

EPSS Percentile 78.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-470

Status published

Products (4)

craftcms/cms 5.0.0-RC1 - 5.8.21Packagist

craftcms/craft_cms 4.0.0 (4 CPE variants)

craftcms/craft_cms 5.0.0 (2 CPE variants)

craftcms/craft_cms 4.0.0.1 - 4.16.17

Published Jan 05, 2026

Tracked Since Feb 18, 2026