CVE-2025-68455

Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior. Note that attackers must have administrator access to the Craft Control Panel for this to work. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.

CVSS v3 7.2 HIGH

7.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04	Product Release Notes
https://github.com/craftcms/cms/commit/27f55886098b56c00ddc53b69239c9c9192252c7	Patch
https://github.com/craftcms/cms/commit/6e608a1a5bfb36943f94f584b7548ca542a86fef	Patch
https://github.com/craftcms/cms/commit/ec43c497edde0b2bf2e39a119cded2e55f9fe593	Patch
https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5	Exploit Vendor Advisory
https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:craftcms:craft_cms::::::::
	cpe:2.3:a:craftcms:craft_cms::::::::
	cpe:2.3:a:craftcms:craft_cms:4.0.0:-::::::
	cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1::::::
	cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2::::::
	cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3::::::
	cpe:2.3:a:craftcms:craft_cms:5.0.0:-::::::
	cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1::::::

History

No history.

Information

Published : 2026-01-05 22:15

Updated : 2026-01-12 18:21

NVD link : CVE-2025-68455

Mitre link : CVE-2025-68455

CVE.ORG link : CVE-2025-68455

JSON object : View

Products Affected

craftcms

craft_cms

CWE

CWE-470

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

{"id": "CVE-2025-68455", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.6, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-01-05T22:15:52.593", "references": [{"url": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/craftcms/cms/commit/27f55886098b56c00ddc53b69239c9c9192252c7", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/craftcms/cms/commit/6e608a1a5bfb36943f94f584b7548ca542a86fef", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/craftcms/cms/commit/ec43c497edde0b2bf2e39a119cded2e55f9fe593", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5", "tags": ["Exploit", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-470"}]}], "descriptions": [{"lang": "en", "value": "Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior. Note that attackers must have administrator access to the Craft Control Panel for this to work. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue."}], "lastModified": "2026-01-12T18:21:12.567", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5775BAC6-95FD-41E2-85CD-06A82F00B972", "versionEndExcluding": "4.16.17", "versionStartIncluding": "4.0.0.1"}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DD1EB061-284A-4708-BC67-DE02EF7A5E79", "versionEndExcluding": "5.8.21", "versionStartIncluding": "5.0.1"}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "610F6DE9-720F-45B3-81D5-18E7F6B090FD"}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CC2F40FC-7C27-456A-B16D-679410D1D5CF"}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FBAA8227-04F8-404C-907B-B0162B325F5A"}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "21B28E2C-327A-4CE6-ACAD-97E459712A55"}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:5.0.0:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1C7461CF-35AB-48E1-88B6-956DAE1D2AB4"}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8D8E02D1-601A-4E2B-B619-4775BFDB72D0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}