How severe is CVE-2025-68456?

CVE-2025-68456 has a CVSS v3 score of 9.1 (CRITICAL).

CVE-2025-68456

Name: craft_cms
Author: craftcms

9.1CRITICAL

Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 3.0.0 through 4.16.16, unauthenticated users can trigger database backup operations via specific admin a

发布于: 1/5/2026更新于: 1/12/2026

描述

Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 3.0.0 through 4.16.16, unauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue. Craft 3 users should update to the latest Craft 4 and 5 releases, which include the fixes.

AI分析AI驱动

受影响产品

craftcmscraft_cms

5.0.0

craftcmscraft_cms

5.0.0

参考资料

https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04
ProductRelease Notes
https://github.com/craftcms/cms/commit/f83d4e0c6b906743206b4747db4abf8164b8da39
Patch
https://github.com/craftcms/cms/security/advisories/GHSA-v64r-7wg9-23pr
ExploitVendor Advisory
https://github.com/craftcms/cms/security/advisories/GHSA-v64r-7wg9-23pr
ExploitVendor Advisory