CVE-2025-68456

Source
https://cve.org/CVERecord?id=CVE-2025-68456
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68456.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-68456
Aliases
Published
2026-01-05T22:03:11.155Z
Modified
2026-04-10T05:35:06.731204Z
Severity
  • 7.0 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
Unauthenticated Craft CMS users can trigger a database backup
Details

Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 3.0.0 through 4.16.16, unauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue. Craft 3 users should update to the latest Craft 4 and 5 releases, which include the fixes.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68456.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-202",
        "CWE-770"
    ]
}
References

Affected packages

Git / github.com/craftcms/cms

Affected ranges

Type
GIT
Repo
https://github.com/craftcms/cms
Events
Database specific
{
    "versions": [
        {
            "introduced": "5.0.0-RC1"
        },
        {
            "fixed": "5.8.21"
        }
    ]
}
Type
GIT
Repo
https://github.com/craftcms/cms
Events
Database specific
{
    "versions": [
        {
            "introduced": "3.0.0"
        },
        {
            "fixed": "4.16.17"
        }
    ]
}

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68456.json"