Craft CMS vulnerable to potential authenticated Remote Code Execution via...

8.6 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior. Note that attackers must have administrator access to the Craft Control Panel for this to work. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.

AI Analysis

Potential authenticated Remote Code Execution via malicious attached Behavior in Craft CMS

Basic Information

ID CVE-2025-68455

Source GitHub_M

Published Jan 5, 2026 at 21:59

Affected Product

Vendor craftcms

Product cms

Version >= 5.0.0-RC1, < 5.8.21

Affected Versions craftcms cms >= 5.0.0-RC1, < 5.8.21
craftcms cms >= 4.0.0-RC1, < 4.16.17

CWE Classification

CWE-470

AI Assessment

AI Score 8.6 / 10

AI Severity High

Vendor Craft CMS

Product Craft CMS

Version 5.0.0-RC1 to 5.8.20, 4.0.0-RC1 to 4.16.16

References

{
    "lastseen": "",
    "description": "Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior. Note that attackers must have administrator access to the Craft Control Panel for this to work. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.",
    "published": "2026-01-05T21:59:00.997Z",
    "modified": "2026-01-05T21:59:00.997Z",
    "type": "cve",
    "title": "Craft CMS vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior",
    "source": "GitHub_M",
    "references": "https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5\nhttps://github.com/craftcms/cms/commit/27f55886098b56c00ddc53b69239c9c9192252c7\nhttps://github.com/craftcms/cms/commit/6e608a1a5bfb36943f94f584b7548ca542a86fef\nhttps://github.com/craftcms/cms/commit/ec43c497edde0b2bf2e39a119cded2e55f9fe593\nhttps://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04",
    "id": "CVE-2025-68455",
    "bulletinFamily": "",
    "cwe": [
        "CWE-470"
    ],
    "cvelist": null,
    "sourceData": "craftcms cms >= 5.0.0-RC1, < 5.8.21\ncraftcms cms >= 4.0.0-RC1, < 4.16.17",
    "sourceHref": "",
    "cvss": {
        "score": 8.6,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "cms",
    "version": ">= 5.0.0-RC1, < 5.8.21",
    "vendor": "craftcms",
    "ai_description": "Potential authenticated Remote Code Execution via malicious attached Behavior in Craft CMS",
    "ai_severity": "High",
    "ai_vendor": "Craft CMS",
    "ai_product": "Craft CMS",
    "ai_version": "5.0.0-RC1 to 5.8.20, 4.0.0-RC1 to 4.16.16",
    "ai_score": 8.6
}

Craft CMS vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior_CVE-2025-68455