CVE-2025-68455

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-68455
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68455.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-68455
Aliases
Published
2026-01-05T21:59:00.997Z
Modified
2026-01-29T02:51:45.300912Z
Severity
  • 8.6 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Craft CMS vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior
Details

Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior. Note that attackers must have administrator access to the Craft Control Panel for this to work. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.

Database specific 
{
    "cwe_ids": [
        "CWE-470"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68455.json"
}
References

Affected packages

Git / github.com/craftcms/cms

Affected ranges

Type
GIT
Repo
https://github.com/craftcms/cms
Events
Introduced
04755d93f86d07cc183db47db8a0eee106892e30
Fixed
8582f04f8346c6cf285a18d9704c4a2d9371e9bf
Database specific 
{
    "versions": [
        {
            "introduced": "5.0.0-RC1"
        },
        {
            "fixed": "5.8.21"
        }
    ]
}
Type
GIT
Repo
https://github.com/craftcms/cms
Events
Introduced
daac7c1da2f701f2e9ddee1da1457ce61660b581
Fixed
b5f17cd3246cf10034a914464964757b0b84bcd3
Database specific 
{
    "versions": [
        {
            "introduced": "4.0.0-RC1"
        },
        {
            "fixed": "4.16.17"
        }
    ]
}

Affected versions

3.*
3.7.33
3.7.39
3.7.40
3.7.40.1
3.7.41
3.7.42
3.7.43
3.7.44
3.7.45
3.7.45.1
3.7.45.2
3.7.46
3.7.47
3.7.47.1
3.7.48
3.7.49
3.7.50
3.7.51
3.7.52
3.7.53
3.7.53.1
3.7.54
3.7.55
3.7.55.1
3.7.55.2
3.7.55.3
3.7.56
3.7.57
3.7.58
3.7.59
3.7.60
3.7.61
3.7.62
3.7.63
3.7.63.1
3.7.64
3.7.64.1
3.7.65
3.7.65.1
3.7.65.2
3.7.66
3.7.67
3.7.68
3.8.0
3.8.0-beta.1
3.8.0-beta.2
3.8.0-beta.3
3.8.0-beta.4
3.8.0-beta.5
3.8.0-beta.6
3.8.1
3.8.10
3.8.10.1
3.8.10.2
3.8.11
3.8.12
3.8.13
3.8.14
3.8.15
3.8.16
3.8.17
3.8.2
3.8.3
3.8.4
3.8.5
3.8.6
3.8.7
3.8.8
3.8.9
3.9.0
3.9.1
3.9.10
3.9.11
3.9.12
3.9.13
3.9.14
3.9.15
3.9.2
3.9.3
3.9.4
3.9.5
3.9.6
4.*
4.0.0
4.0.0-RC1
4.0.0-RC2
4.0.0-RC3
4.0.0.1
4.0.1
4.0.2
4.0.3
4.0.4
4.0.5
4.0.5.1
4.0.5.2
4.0.6
4.1.0
4.1.0.1
4.1.0.2
4.1.1
4.1.2
4.1.3
4.1.4
4.1.4.1
4.10.0
4.10.0-beta.1
4.10.0-beta.2
4.10.1
4.10.2
4.10.3
4.10.4
4.10.5
4.10.6
4.10.7
4.10.8
4.11.0
4.11.0.1
4.11.0.2
4.11.1
4.11.2
4.11.3
4.11.4
4.11.5
4.12.0
4.12.1
4.12.2
4.12.3
4.12.4
4.12.4.1
4.12.5
4.12.6
4.12.6.1
4.12.7
4.12.8
4.12.9
4.13.0
4.13.1
4.13.1.1
4.13.10
4.13.2
4.13.3
4.13.4
4.13.5
4.13.6
4.13.7
4.13.8
4.13.9
4.14.0
4.14.0.1
4.14.0.2
4.14.1
4.14.10
4.14.11
4.14.11.1
4.14.12
4.14.13
4.14.14
4.14.15
4.14.2
4.14.3
4.14.4
4.14.5
4.14.6
4.14.7
4.14.8
4.14.8.1
4.14.9
4.15.0
4.15.0-beta.1
4.15.0-beta.2
4.15.0.1
4.15.0.2
4.15.1
4.15.2
4.15.3
4.15.4
4.15.5
4.15.6
4.15.6.1
4.15.6.2
4.15.7
4.16.0
4.16.1
4.16.10
4.16.11
4.16.12
4.16.13
4.16.14
4.16.15
4.16.16
4.16.17
4.16.2
4.16.3
4.16.4
4.16.5
4.16.6
4.16.6.1
4.16.7
4.16.8
4.16.9
4.16.9.1
4.2.0
4.2.0.1
4.2.0.2
4.2.1
4.2.1.1
4.2.2
4.2.3
4.2.4
4.2.5
4.2.5.1
4.2.5.2
4.2.6
4.2.7
4.2.8
4.3.0
4.3.1
4.3.10
4.3.11
4.3.2
4.3.2.1
4.3.3
4.3.4
4.3.5
4.3.6
4.3.6.1
4.3.7
4.3.7.1
4.3.8
4.3.8.1
4.3.8.2
4.3.9
4.4.0
4.4.0-beta.1
4.4.0-beta.2
4.4.0-beta.3
4.4.0-beta.4
4.4.0-beta.5
4.4.0-beta.6
4.4.0-beta.7
4.4.1
4.4.10
4.4.10.1
4.4.11
4.4.12
4.4.13
4.4.14
4.4.15
4.4.16
4.4.16.1
4.4.17
4.4.2
4.4.3
4.4.4
4.4.5
4.4.6
4.4.6.1
4.4.7
4.4.7.1
4.4.8
4.4.9
4.5.0
4.5.0-beta.1
4.5.0-beta.2
4.5.1
4.5.10
4.5.11
4.5.11.1
4.5.12
4.5.13
4.5.14
4.5.15
4.5.2
4.5.3
4.5.4
4.5.5
4.5.6
4.5.6.1
4.5.7
4.5.8
4.5.9
4.6.0
4.6.0-RC1
4.6.1
4.7.0
4.7.1
4.7.2
4.7.2.1
4.7.3
4.7.4
4.8.0
4.8.1
4.8.10
4.8.11
4.8.2
4.8.3
4.8.4
4.8.5
4.8.6
4.8.7
4.8.8
4.8.9
4.9.0
4.9.1
4.9.2
4.9.3
4.9.4
4.9.5
4.9.6
4.9.7
5.*
5.0.0
5.0.0-RC1
5.0.1
5.0.2
5.0.3
5.0.4
5.0.5
5.0.6
5.1.0
5.1.1
5.1.10
5.1.2
5.1.3
5.1.4
5.1.5
5.1.6
5.1.7
5.1.8
5.1.9
5.2.0
5.2.0-beta.1
5.2.0-beta.2
5.2.0-beta.3
5.2.0-beta.4
5.2.0-beta.5
5.2.0-beta.6
5.2.1
5.2.10
5.2.2
5.2.3
5.2.4
5.2.4.1
5.2.5
5.2.6
5.2.7
5.2.8
5.2.9
5.3.0
5.3.0-beta.1
5.3.0-beta.2
5.3.0.1
5.3.0.2
5.3.0.3
5.3.1
5.3.2
5.3.3
5.3.4
5.3.5
5.3.6
5.4.0
5.4.0.1
5.4.1
5.4.10
5.4.10.1
5.4.2
5.4.3
5.4.4
5.4.5
5.4.5.1
5.4.6
5.4.7
5.4.7.1
5.4.8
5.4.9
5.5.0
5.5.0.1
5.5.1
5.5.1.1
5.5.10
5.5.2
5.5.3
5.5.4
5.5.5
5.5.6
5.5.6.1
5.5.7
5.5.8
5.5.9
5.6.0
5.6.0.1
5.6.0.2
5.6.1
5.6.10
5.6.10.1
5.6.10.2
5.6.11
5.6.12
5.6.13
5.6.14
5.6.15
5.6.16
5.6.17
5.6.2
5.6.3
5.6.4
5.6.5
5.6.5.1
5.6.6
5.6.7
5.6.8
5.6.9
5.6.9.1
5.7.0
5.7.0-beta.1
5.7.0-beta.2
5.7.1
5.7.1.1
5.7.10
5.7.11
5.7.2
5.7.3
5.7.4
5.7.5
5.7.6
5.7.7
5.7.8
5.7.8.1
5.7.8.2
5.7.9
5.8.0
5.8.1
5.8.10
5.8.11
5.8.12
5.8.13
5.8.13.1
5.8.13.2
5.8.14
5.8.15
5.8.16
5.8.17
5.8.18
5.8.19
5.8.2
5.8.20
5.8.3
5.8.4
5.8.5
5.8.6
5.8.7
5.8.8
5.8.9

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68455.json"