CVE-2025-68456
CRITICALCraftcms Craft Cms < 4.16.17 - Information Disclosure
Title source: ruleDescription
Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 3.0.0 through 4.16.16, unauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue. Craft 3 users should update to the latest Craft 4 and 5 releases, which include the fixes.
References (3)
Core 3
Core References
Exploit, Vendor Advisory x_refsource_confirm
https://github.com/craftcms/cms/security/advisories/GHSA-v64r-7wg9-23pr
Patch x_refsource_misc
https://github.com/craftcms/cms/commit/f83d4e0c6b906743206b4747db4abf8164b8da39
Product, Release Notes x_refsource_misc
https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04
Scores
CVSS v3
9.1
EPSS
0.0017
EPSS Percentile
38.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-770
CWE-202
Status
published
Products (3)
craftcms/cms
5.0.0-RC1 - 5.8.21Packagist
craftcms/craft_cms
5.0.0 (2 CPE variants)
craftcms/craft_cms
3.0.0 - 4.16.17
Published
Jan 05, 2026
Tracked Since
Feb 18, 2026