Description

Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior. Note that attackers must have administrator access to the Craft Control Panel for this to work. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.

Remediation

References

CVE-2025-68455

Related Vulnerabilities

TYPO3 Missing Authorization Vulnerability (CVE-2025-59017)

WordPress Plugin UnGallery Local File Disclosure (1.5.8)

Moodle Incomplete Cleanup Vulnerability (CVE-2024-38275)

Oracle JRE CVE-2012-0502 Vulnerability (CVE-2012-0502)

MediaWiki Unquoted Search Path or Element Vulnerability (CVE-2021-31553)

Severity

High

Classification

CVE-2025-68455 CWE-470 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities