How to fix CVE-2025-68456?

Within 24 hours: Identify all affected systems running versions 5.0.0-RC1 and apply vendor patches immediately. Vendor patch is available.

Is Craft Cms affected by CVE-2025-68456?

Organizations using versions 5.0.0-RC1 face critical risk from CVE-2025-68456 rated CVSS 9.1. Successful exploitation could critically impact the confidentiality, integrity, and availability of affected systems. Proof-of-concept code is publicly available, increasing the risk of exploitation.

CVE-2025-68456

CRITICAL

2026-01-05 [email protected]

GHSA-v64r-7wg9-23pr

9.1

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

PoC Detected

Jan 12, 2026 - 18:19 vuln.today

Public exploit code

Patch Released

Jan 12, 2026 - 18:19 nvd

Patch available

CVE Published

Jan 05, 2026 - 22:15 nvd

CRITICAL 9.1

Description

Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 3.0.0 through 4.16.16, unauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue. Craft 3 users should update to the latest Craft 4 and 5 releases, which include the fixes.

Analysis

Craft CMS (5.0.0-RC1 through 5.8.20, 3.x through 4.16.16) allows unauthenticated users to trigger database backup operations, leading to resource exhaustion or information disclosure if backups are stored in accessible locations. PoC available, patches available.

Technical Context

Specific admin actions for database backup can be invoked without authentication (CWE-202). If backup files are stored in a web-accessible directory, an attacker can trigger a backup and then download it, obtaining the entire database. Even without file access, repeated backup triggering causes disk exhaustion.

Affected Products

Craft CMS 5.0.0-RC1 through 5.8.20, 3.x through 4.16.16

Remediation

Update to Craft CMS 5.8.21 or 4.16.17. Ensure database backups are stored outside the webroot. Review backup directory for unauthorized files.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.2

CVSS: +46

POC: +20

CVE-2025-68456 vulnerability details – vuln.today

Back

CVE-2025-68456

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-68456

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code