CVE-2025-68456

Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 3.0.0 through 4.16.16, unauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue. Craft 3 users should update to the latest Craft 4 and 5 releases, which include the fixes.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04	Product Release Notes
https://github.com/craftcms/cms/commit/f83d4e0c6b906743206b4747db4abf8164b8da39	Patch
https://github.com/craftcms/cms/security/advisories/GHSA-v64r-7wg9-23pr	Exploit Vendor Advisory
https://github.com/craftcms/cms/security/advisories/GHSA-v64r-7wg9-23pr	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:craftcms:craft_cms::::::::
	cpe:2.3:a:craftcms:craft_cms::::::::
	cpe:2.3:a:craftcms:craft_cms:5.0.0:-::::::
	cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1::::::

History

12 Jan 2026, 18:19

Type	Values Removed	Values Added
CPE		cpe:2.3:a:craftcms:craft_cms:::::::: cpe:2.3:a:craftcms:craft_cms:5.0.0:-:::::: cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.1
References	~~() https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04 -~~	() https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04 - Product, Release Notes
References	~~() https://github.com/craftcms/cms/commit/f83d4e0c6b906743206b4747db4abf8164b8da39 -~~	() https://github.com/craftcms/cms/commit/f83d4e0c6b906743206b4747db4abf8164b8da39 - Patch
References	~~() https://github.com/craftcms/cms/security/advisories/GHSA-v64r-7wg9-23pr -~~	() https://github.com/craftcms/cms/security/advisories/GHSA-v64r-7wg9-23pr - Exploit, Vendor Advisory
First Time		Craftcms Craftcms craft Cms

06 Jan 2026, 19:16

Type	Values Removed	Values Added
References	~~() https://github.com/craftcms/cms/security/advisories/GHSA-v64r-7wg9-23pr -~~	() https://github.com/craftcms/cms/security/advisories/GHSA-v64r-7wg9-23pr -

05 Jan 2026, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-05 22:15

Updated : 2026-01-12 18:19

NVD link : CVE-2025-68456

Mitre link : CVE-2025-68456

CVE.ORG link : CVE-2025-68456

JSON object : View

Products Affected

craftcms

craft_cms

CWE

CWE-202

Exposure of Sensitive Information Through Data Queries

CWE-770

Allocation of Resources Without Limits or Throttling

9.1 /10