Craft CMS vulnerable to potential information disclosure via unchecked asset...

4.9 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U

Description

Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, authenticated users on a Craft installation could potentially expose sensitive assets via their user profile photo via maliciously crafted requests. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.

Basic Information

ID CVE-2025-68436

Source GitHub_M

Published Jan 5, 2026 at 21:46

Affected Product

Vendor craftcms

Product cms

Version >= 5.0.0-RC1, < 5.8.21

Affected Versions craftcms cms >= 5.0.0-RC1, < 5.8.21
craftcms cms >= 4.0.0-RC1, < 4.16.17

CWE Classification

CWE-200

References

{
    "lastseen": "",
    "description": "Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, authenticated users on a Craft installation could potentially expose sensitive assets via their user profile photo via maliciously crafted requests. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.",
    "published": "2026-01-05T21:46:01.734Z",
    "modified": "2026-01-05T21:46:01.734Z",
    "type": "cve",
    "title": "Craft CMS vulnerable to potential information disclosure via unchecked asset relocation",
    "source": "GitHub_M",
    "references": "https://github.com/craftcms/cms/security/advisories/GHSA-53vf-c43h-j2x9\nhttps://github.com/craftcms/cms/commit/4bcb0db554e273b66ce3b75263a13414c2368fc9",
    "id": "CVE-2025-68436",
    "bulletinFamily": "",
    "cwe": [
        "CWE-200"
    ],
    "cvelist": null,
    "sourceData": "craftcms cms >= 5.0.0-RC1, < 5.8.21\ncraftcms cms >= 4.0.0-RC1, < 4.16.17",
    "sourceHref": "",
    "cvss": {
        "score": 4.9,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "cms",
    "version": ">= 5.0.0-RC1, < 5.8.21",
    "vendor": "craftcms",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Craft CMS vulnerable to potential information disclosure via unchecked asset relocation_CVE-2025-68436