What is the CVSS score of CVE-2025-68456?

CVE-2025-68456 has a CVSS 3.1 base score of 9.1 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H. EPSS exploitation probability: 0.2%.

Which versions of Craft Cms are affected by CVE-2025-68456?

Organizations using versions 5.0.0-RC1 face critical risk from CVE-2025-68456 rated CVSS 9.1.. A patch is available.

Is there a public PoC exploit available for CVE-2025-68456?

Yes, a public proof-of-concept exploit is available for CVE-2025-68456. Prioritise patching immediately. EPSS: 0.2%.

How to fix or mitigate CVE-2025-68456?

Within 24 hours: Identify all affected systems running versions 5.0.0-RC1 and apply vendor patches immediately. Vendor patch is available.

Craft Cms CVE-2025-68456

CRITICAL

Exposure of Sensitive Information Through Data Queries (CWE-202)

2026-01-05 security-advisories@github.com

GHSA-v64r-7wg9-23pr

Information Disclosure Craft Cms

9.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

PoC Detected

Jan 12, 2026 - 18:19 vuln.today

Public exploit code

Patch released

Jan 12, 2026 - 18:19 nvd

Patch available

CVE Published

Jan 05, 2026 - 22:15 nvd

CRITICAL 9.1

DescriptionNVD

Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 3.0.0 through 4.16.16, unauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue. Craft 3 users should update to the latest Craft 4 and 5 releases, which include the fixes.

AnalysisAI

Craft CMS (5.0.0-RC1 through 5.8.20, 3.x through 4.16.16) allows unauthenticated users to trigger database backup operations, leading to resource exhaustion or information disclosure if backups are stored in accessible locations. PoC available, patches available.

Technical ContextAI

Specific admin actions for database backup can be invoked without authentication (CWE-202). If backup files are stored in a web-accessible directory, an attacker can trigger a backup and then download it, obtaining the entire database. Even without file access, repeated backup triggering causes disk exhaustion.

RemediationAI

Update to Craft CMS 5.8.21 or 4.16.17. Ensure database backups are stored outside the webroot. Review backup directory for unauthorized files.

CVE-2025-68456 vulnerability details – vuln.today

Back

Craft Cms CVE-2025-68456

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code