What is the CVSS score of CVE-2025-68437?

CVE-2025-68437 has a CVSS 3.1 base score of 6.8 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N. EPSS exploitation probability: 0.0%.

Which versions of Craft Cms are affected by CVE-2025-68437?

Organizations using versions 5.0.0-RC1 should be aware of notable risk from CVE-2025-68437, a server-side request forgery vulnerability rated CVSS 6.8.. A patch is available.

Is there a public PoC exploit available for CVE-2025-68437?

Yes, a public proof-of-concept exploit is available for CVE-2025-68437. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2025-68437?

Within 30 days: Identify affected systems running versions 5.0.0-RC1 and apply vendor patches as part of regular patch cycle. Vendor patch is available.

Craft Cms CVE-2025-68437

MEDIUM

Server-Side Request Forgery (SSRF) (CWE-918)

2026-01-05 security-advisories@github.com

GHSA-x27p-wfqw-hfcc

SSRF Craft Cms

6.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

PoC Detected

Jan 12, 2026 - 18:28 vuln.today

Public exploit code

Patch released

Jan 12, 2026 - 18:28 nvd

Patch available

CVE Published

Jan 05, 2026 - 22:15 nvd

MEDIUM 6.8

DescriptionNVD

Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, the Craft CMS GraphQL save_<VolumeName>_Asset mutation is vulnerable to Server-Side Request Forgery (SSRF). This vulnerability arises because the _file input, specifically its url parameter, allows the server to fetch content from arbitrary remote locations without proper validation. Attackers can exploit this by providing internal IP addresses or cloud metadata endpoints as the url, forcing the server to make requests to these restricted services. The fetched content is then saved as an asset, which can subsequently be accessed and exfiltrated, leading to potential data exposure and infrastructure compromise. This exploitation requires specific GraphQL permissions for asset management within the targeted volume. Users should update to the patched 5.8.21 and 4.16.17 releases to mitigate the issue.

AnalysisAI

Technical ContextAI

Classified as CWE-918 (Server-Side Request Forgery (SSRF)). Affects Craft Cms. Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, the Craft CMS GraphQL save_<VolumeName>_Asset mutation is vulnerable to Server-Side Request Forgery (SSRF). This vulnerability arises because the _file input, specifically its url parameter, allows the server to fetch content from arbitrary remote locations without proper validation. Attackers can exploit this by providing internal IP addresses or cloud metadata endpoin

RemediationAI

A vendor patch is available — apply it immediately. Restrict network access to the affected service where possible.

CVE-2025-68437 vulnerability details – vuln.today

Back

Craft Cms CVE-2025-68437

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code