CVE-2025-68456

Опубликовано: 05 янв. 2026

Источник: nvd

CVSS3: 9.1

EPSS Низкий

Описание

Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 3.0.0 through 4.16.16, unauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue. Craft 3 users should update to the latest Craft 4 and 5 releases, which include the fixes.

Ссылки

https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04
Product
Release Notes
https://github.com/craftcms/cms/commit/f83d4e0c6b906743206b4747db4abf8164b8da39
Patch
https://github.com/craftcms/cms/security/advisories/GHSA-v64r-7wg9-23pr
Exploit
Vendor Advisory
https://github.com/craftcms/cms/security/advisories/GHSA-v64r-7wg9-23pr
Exploit
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*

Версия от 3.0.0 (включая) до 4.16.17 (исключая)

cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*

Версия от 5.0.1 (включая) до 5.8.21 (исключая)

cpe:2.3:a:craftcms:craft_cms:5.0.0:-:*:*:*:*:*:*

cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*

EPSS

Процентиль: 24%

0.00078

Низкий

9.1 Critical

CVSS3

Дефекты

CWE-202

CWE-770

Связанные уязвимости

GHSA-v64r-7wg9-23pr

github

около 1 месяца назад

Unauthenticated Craft CMS users can trigger a database backup