Vulnerability Description
Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 3.0.0 through 4.16.16, unauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue. Craft 3 users should update to the latest Craft 4 and 5 releases, which include the fixes.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Craftcms | Craft Cms | >= 3.0.0, < 4.16.17 |
Related Weaknesses (CWE)
References
- https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04ProductRelease Notes
- https://github.com/craftcms/cms/commit/f83d4e0c6b906743206b4747db4abf8164b8da39Patch
- https://github.com/craftcms/cms/security/advisories/GHSA-v64r-7wg9-23prExploitVendor Advisory
- https://github.com/craftcms/cms/security/advisories/GHSA-v64r-7wg9-23prExploitVendor Advisory
FAQ
What is CVE-2025-68456?
CVE-2025-68456 is a vulnerability with a CVSS score of 9.1 (CRITICAL). Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 3.0.0 through 4.16.16, unauthenticated users can trigger database backup operations via specific admin a...
How severe is CVE-2025-68456?
CVE-2025-68456 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2025-68456?
Check the references section above for vendor advisories and patch information. Affected products include: Craftcms Craft Cms.