CVE-2025-68436

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-68436
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68436.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-68436
Aliases
Published
2026-01-05T21:46:01.734Z
Modified
2026-03-01T02:56:43.232857Z
Severity
  • 4.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U CVSS Calculator
Summary
Craft CMS vulnerable to potential information disclosure via unchecked asset relocation
Details

Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, authenticated users on a Craft installation could potentially expose sensitive assets via their user profile photo via maliciously crafted requests. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68436.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-200"
    ]
}
References

Affected packages

Git / github.com/craftcms/cms

Affected ranges

Type
GIT
Repo
https://github.com/craftcms/cms
Events
Introduced
04755d93f86d07cc183db47db8a0eee106892e30
Fixed
8582f04f8346c6cf285a18d9704c4a2d9371e9bf
Database specific 
{
    "versions": [
        {
            "introduced": "5.0.0-RC1"
        },
        {
            "fixed": "5.8.21"
        }
    ]
}
Type
GIT
Repo
https://github.com/craftcms/cms
Events
Introduced
daac7c1da2f701f2e9ddee1da1457ce61660b581
Fixed
b5f17cd3246cf10034a914464964757b0b84bcd3
Database specific 
{
    "versions": [
        {
            "introduced": "4.0.0-RC1"
        },
        {
            "fixed": "4.16.17"
        }
    ]
}

Affected versions

3.*
3.7.33
3.7.39
3.7.40
3.7.40.1
3.7.41
3.7.42
3.7.43
3.7.44
3.7.45
3.7.45.1
3.7.45.2
3.7.46
3.7.47
3.7.47.1
3.7.48
3.7.49
3.7.50
3.7.51
3.7.52
3.7.53
3.7.53.1
3.7.54
3.7.55
3.7.55.1
3.7.55.2
3.7.55.3
3.7.56
3.7.57
3.7.58
3.7.59
3.7.60
3.7.61
3.7.62
3.7.63
3.7.63.1
3.7.64
3.7.64.1
3.7.65
3.7.65.1
3.7.65.2
3.7.66
3.7.67
3.7.68
3.8.0
3.8.0-beta.1
3.8.0-beta.2
3.8.0-beta.3
3.8.0-beta.4
3.8.0-beta.5
3.8.0-beta.6
3.8.1
3.8.10
3.8.10.1
3.8.10.2
3.8.11
3.8.12
3.8.13
3.8.14
3.8.15
3.8.16
3.8.17
3.8.2
3.8.3
3.8.4
3.8.5
3.8.6
3.8.7
3.8.8
3.8.9
3.9.0
3.9.1
3.9.10
3.9.11
3.9.12
3.9.13
3.9.14
3.9.15
3.9.2
3.9.3
3.9.4
3.9.5
3.9.6
4.*
4.0.0
4.0.0-RC1
4.0.0-RC2
4.0.0-RC3
4.0.0.1
4.0.1
4.0.2
4.0.3
4.0.4
4.0.5
4.0.5.1
4.0.5.2
4.0.6
4.1.0
4.1.0.1
4.1.0.2
4.1.1
4.1.2
4.1.3
4.1.4
4.1.4.1
4.10.0
4.10.0-beta.1
4.10.0-beta.2
4.10.1
4.10.2
4.10.3
4.10.4
4.10.5
4.10.6
4.10.7
4.10.8
4.11.0
4.11.0.1
4.11.0.2
4.11.1
4.11.2
4.11.3
4.11.4
4.11.5
4.12.0
4.12.1
4.12.2
4.12.3
4.12.4
4.12.4.1
4.12.5
4.12.6
4.12.6.1
4.12.7
4.12.8
4.12.9
4.13.0
4.13.1
4.13.1.1
4.13.10
4.13.2
4.13.3
4.13.4
4.13.5
4.13.6
4.13.7
4.13.8
4.13.9
4.14.0
4.14.0.1
4.14.0.2
4.14.1
4.14.10
4.14.11
4.14.11.1
4.14.12
4.14.13
4.14.14
4.14.15
4.14.2
4.14.3
4.14.4
4.14.5
4.14.6
4.14.7
4.14.8
4.14.8.1
4.14.9
4.15.0
4.15.0-beta.1
4.15.0-beta.2
4.15.0.1
4.15.0.2
4.15.1
4.15.2
4.15.3
4.15.4
4.15.5
4.15.6
4.15.6.1
4.15.6.2
4.15.7
4.16.0
4.16.1
4.16.10
4.16.11
4.16.12
4.16.13
4.16.14
4.16.15
4.16.16
4.16.17
4.16.2
4.16.3
4.16.4
4.16.5
4.16.6
4.16.6.1
4.16.7
4.16.8
4.16.9
4.16.9.1
4.2.0
4.2.0.1
4.2.0.2
4.2.1
4.2.1.1
4.2.2
4.2.3
4.2.4
4.2.5
4.2.5.1
4.2.5.2
4.2.6
4.2.7
4.2.8
4.3.0
4.3.1
4.3.10
4.3.11
4.3.2
4.3.2.1
4.3.3
4.3.4
4.3.5
4.3.6
4.3.6.1
4.3.7
4.3.7.1
4.3.8
4.3.8.1
4.3.8.2
4.3.9
4.4.0
4.4.0-beta.1
4.4.0-beta.2
4.4.0-beta.3
4.4.0-beta.4
4.4.0-beta.5
4.4.0-beta.6
4.4.0-beta.7
4.4.1
4.4.10
4.4.10.1
4.4.11
4.4.12
4.4.13
4.4.14
4.4.15
4.4.16
4.4.16.1
4.4.17
4.4.2
4.4.3
4.4.4
4.4.5
4.4.6
4.4.6.1
4.4.7
4.4.7.1
4.4.8
4.4.9
4.5.0
4.5.0-beta.1
4.5.0-beta.2
4.5.1
4.5.10
4.5.11
4.5.11.1
4.5.12
4.5.13
4.5.14
4.5.15
4.5.2
4.5.3
4.5.4
4.5.5
4.5.6
4.5.6.1
4.5.7
4.5.8
4.5.9
4.6.0
4.6.0-RC1
4.6.1
4.7.0
4.7.1
4.7.2
4.7.2.1
4.7.3
4.7.4
4.8.0
4.8.1
4.8.10
4.8.11
4.8.2
4.8.3
4.8.4
4.8.5
4.8.6
4.8.7
4.8.8
4.8.9
4.9.0
4.9.1
4.9.2
4.9.3
4.9.4
4.9.5
4.9.6
4.9.7
5.*
5.0.0
5.0.0-RC1
5.0.1
5.0.2
5.0.3
5.0.4
5.0.5
5.0.6
5.1.0
5.1.1
5.1.10
5.1.2
5.1.3
5.1.4
5.1.5
5.1.6
5.1.7
5.1.8
5.1.9
5.2.0
5.2.0-beta.1
5.2.0-beta.2
5.2.0-beta.3
5.2.0-beta.4
5.2.0-beta.5
5.2.0-beta.6
5.2.1
5.2.10
5.2.2
5.2.3
5.2.4
5.2.4.1
5.2.5
5.2.6
5.2.7
5.2.8
5.2.9
5.3.0
5.3.0-beta.1
5.3.0-beta.2
5.3.0.1
5.3.0.2
5.3.0.3
5.3.1
5.3.2
5.3.3
5.3.4
5.3.5
5.3.6
5.4.0
5.4.0.1
5.4.1
5.4.10
5.4.10.1
5.4.2
5.4.3
5.4.4
5.4.5
5.4.5.1
5.4.6
5.4.7
5.4.7.1
5.4.8
5.4.9
5.5.0
5.5.0.1
5.5.1
5.5.1.1
5.5.10
5.5.2
5.5.3
5.5.4
5.5.5
5.5.6
5.5.6.1
5.5.7
5.5.8
5.5.9
5.6.0
5.6.0.1
5.6.0.2
5.6.1
5.6.10
5.6.10.1
5.6.10.2
5.6.11
5.6.12
5.6.13
5.6.14
5.6.15
5.6.16
5.6.17
5.6.2
5.6.3
5.6.4
5.6.5
5.6.5.1
5.6.6
5.6.7
5.6.8
5.6.9
5.6.9.1
5.7.0
5.7.0-beta.1
5.7.0-beta.2
5.7.1
5.7.1.1
5.7.10
5.7.11
5.7.2
5.7.3
5.7.4
5.7.5
5.7.6
5.7.7
5.7.8
5.7.8.1
5.7.8.2
5.7.9
5.8.0
5.8.1
5.8.10
5.8.11
5.8.12
5.8.13
5.8.13.1
5.8.13.2
5.8.14
5.8.15
5.8.16
5.8.17
5.8.18
5.8.19
5.8.2
5.8.20
5.8.3
5.8.4
5.8.5
5.8.6
5.8.7
5.8.8
5.8.9

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68436.json"