CVE-2025-68436

Published: Jan 5, 2026Modified: Jan 12, 2026

4.9

Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow less

Source: security-advisories@github.com (Secondary)

Description

Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, authenticated users on a Craft installation could potentially expose sensitive assets via their user profile photo via maliciously crafted requests. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.

Affected (8)

Products: Craftcms: Craft Cms

Craftcms

1 product

Craft Cms

Configuration A

8 vulnerable

Vulnerable Software	Affected Versions
Craftcms Craft Cms	From 4.0.0.1 to 4.16.17
Craftcms Craft Cms	From 5.0.1 to 5.8.21
Craftcms Craft Cms	Version 4.0.0
Craftcms Craft Cms	Version 4.0.0 rc1
Craftcms Craft Cms	Version 4.0.0 rc2
Craftcms Craft Cms	Version 4.0.0 rc3
Craftcms Craft Cms	Version 5.0.0
Craftcms Craft Cms	Version 5.0.0 rc1

Related CWEs

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References (2)

https://github.com/craftcms/cms/commit/4bcb0db554e273b66ce3b75263a13414c2368fc9

Source: security-advisories@github.com

Patch

https://github.com/craftcms/cms/security/advisories/GHSA-53vf-c43h-j2x9

Source: security-advisories@github.com

Vendor Advisory

Timeline

No history available yet.