CVE-2025-68456CRITICAL 9.1EPSS p37.1%

CVE-2025-68456CVE-2025-68456

Description

Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 3.0.0 through 4.16.16, unauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue. Craft 3 users should update to the latest Craft 4 and 5 releases, which include the fixes.

Scoring

CVSS 3.19.1 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
EPSS0.47% probability of exploitation · percentile 37.1% · 2026-06-18T12:00:27Z
Published2026-01-05
Last modified2026-01-12

Underlying weaknesses· 2

CWE-202CWE-770

References

  1. https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04
  2. https://github.com/craftcms/cms/commit/f83d4e0c6b906743206b4747db4abf8164b8da39
  3. https://github.com/craftcms/cms/security/advisories/GHSA-v64r-7wg9-23pr
  4. https://github.com/craftcms/cms/security/advisories/GHSA-v64r-7wg9-23pr

2

TypeTargetConfidenceTier
WeaknessExposure of Sensitive Information Through Data Queriescwe-2020%live
WeaknessAllocation of Resources Without Limits or Throttlingcwe-7700%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-54417
CVE
CVE-2025-68454
CVE
Craft CMS Code Injection Vulnerability
CVE
CVE-2026-25497
CVE
CVE-2025-0502
CVE
CVE-2026-0805
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.