CVE-2025-35939MEDIUM 5.3CISA KEVEPSS p61.9%

CVE-2025-35939Craft CMS External Control of Assumed-Immutable Web Parameter Vulnerability

Craft CMS / Craft CMS

Description

Craft CMS contains an external control of assumed-immutable web parameter vulnerability. This vulnerability could allow an unauthenticated client to introduce arbitrary values, such as PHP code, to a known local file location on the server. This vulnerability could be chained with CVE-2024-58136 as represented by CVE-2025-32432.

Scoring

CVSS 3.15.3 (MEDIUM)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS1.12% probability of exploitation · percentile 61.9% · 2026-06-19T12:03:05Z
Published2025-05-07
Last modified2025-10-24

CISA KEV entry

Added to KEV: 2025-06-02

Underlying weaknesses· 1

CWE-472

References

  1. https://github.com/craftcms/cms/pull/17220
  2. https://github.com/craftcms/cms/releases/tag/4.15.3
  3. https://github.com/craftcms/cms/releases/tag/5.7.5
  4. https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-147-01.json
  5. https://www.cve.org/CVERecord?id=CVE-2025-35939
  6. https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-35939

1

TypeTargetConfidenceTier
WeaknessExternal Control of Assumed-Immutable Web Parametercwe-4720%live

(incoming)1

TypeTargetConfidenceTier
KEVEntryCraft CMS External Control of Assumed-Immutable Web Parameter Vulnerabilitykev-cve-2025-359390%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
Craft CMS Code Injection Vulnerability
CVE
CVE-2025-54417
CVE
CVE-2026-31857
CVE
CVE-2026-0963
CVE
CVE-2025-68454
CVE
CVE-2025-6384
Sourced from NVD + CISA KEV + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.