Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, authenticated users on a Craft installation could potentially expose sensitive assets via their user profile photo via maliciously crafted requests. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.
References
Configurations
Configuration 1 (hide)
|
History
12 Jan 2026, 18:29
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:* cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:*:*:*:*:*:* cpe:2.3:a:craftcms:craft_cms:4.0.0:-:*:*:*:*:*:* cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:* cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:*:*:*:*:*:* cpe:2.3:a:craftcms:craft_cms:5.0.0:-:*:*:*:*:*:* cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:*:*:*:*:*:* |
|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.5 |
| First Time |
Craftcms
Craftcms craft Cms |
|
| References | () https://github.com/craftcms/cms/commit/4bcb0db554e273b66ce3b75263a13414c2368fc9 - Patch | |
| References | () https://github.com/craftcms/cms/security/advisories/GHSA-53vf-c43h-j2x9 - Vendor Advisory |
05 Jan 2026, 22:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-01-05 22:15
Updated : 2026-01-12 18:29
NVD link : CVE-2025-68436
Mitre link : CVE-2025-68436
CVE.ORG link : CVE-2025-68436
JSON object : View
Products Affected
craftcms
- craft_cms
CWE
CWE-200
Exposure of Sensitive Information to an Unauthorized Actor