CVE-2025-68436

EUVD-2026-0846
Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, authenticated users on a Craft installation could potentially expose sensitive assets via their user profile photo via maliciously crafted requests. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.5 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 12%
Affected Products (NVD)
VendorProductVersion
craftcmscraft_cms
4.0.0.1 ≤
𝑥
< 4.16.17
craftcmscraft_cms
5.0.1 ≤
𝑥
< 5.8.21
craftcmscraft_cms
4.0.0
craftcmscraft_cms
4.0.0:rc1
craftcmscraft_cms
4.0.0:rc2
craftcmscraft_cms
4.0.0:rc3
craftcmscraft_cms
5.0.0
craftcmscraft_cms
5.0.0:rc1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/craftcms/cms/commit/4bcb0db554e273b66ce3b75263a13414c2368fc9
https://github.com/craftcms/cms/security/advisories/GHSA-53vf-c43h-j2x9