How to fix CVE-2025-35939?

Within 24 hours: Identify affected systems and apply vendor patches immediately. Vendor patch is available.

Is PHP affected by CVE-2025-35939?

CVE-2025-35939 presents notable security risk rated CVSS 6.9. Exploitation could compromise the security of affected deployments. This vulnerability is actively exploited in the wild (KEV-listed). A patch is available and should be applied during regular vulnerability management.

CVE-2025-35939

MEDIUM

2025-05-07 9119a7d8-5eab-497f-8521-727c672e3725

6.9

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:40 vuln.today

Patch Released

Mar 28, 2026 - 18:40 nvd

Patch available

Added to CISA KEV

Oct 24, 2025 - 13:45 cisa

CISA KEV

CVE Published

May 07, 2025 - 23:15 nvd

MEDIUM 6.9

Description

Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could be accessed and executed, possibly using an independent vulnerability. Craft CMS redirects requests that require authentication to the login page and generates a session file on the server at '/var/lib/php/sessions'. Such session files are named 'sess_[session_value]', where '[session_value]' is provided to the client in a 'Set-Cookie' response header. Craft CMS stores the return URL requested by the client without sanitizing parameters. Consequently, an unauthenticated client can introduce arbitrary values, such as PHP code, to a known local file location on the server. Craft CMS versions 5.7.5 and 4.15.3 have been released to address this issue.

Analysis

Craft CMS stores arbitrary content provided by unauthenticated users in session files. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and EPSS exploitation probability 33.1%.

Technical Context

This vulnerability is classified under CWE-472. Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could be accessed and executed, possibly using an independent vulnerability. Craft CMS redirects requests that require authentication to the login page and generates a session file on the server at '/var/lib/php/sessions'. Such session files are named 'sess_[session_value]', where '[session_value]' is provided to the client in a 'Set-Cookie' response header. Craft CMS stores the return URL requested by the client without sanitizing parameters. Consequently, an unauthenticated client can introduce arbitrary values, such as PHP code, to a known local file location on the server. Craft CMS versions 5.7.5 and 4.15.3 have been released to address this issue. Affected products include: Craftcms Craft Cms.

Affected Products

Craftcms Craft Cms.

Remediation

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

Priority Score

118

Low Medium High Critical

KEV: +50

EPSS: +33.1

CVSS: +34

POC: 0

CVE-2025-35939 vulnerability details – vuln.today

Back

CVE-2025-35939

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-35939

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code