craftcms/cms Security Advisories for 5.6.8 (10)
-
[HIGH] Craft CMS vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior
PKSA-hcvs-d728-5zyw CVE-2025-68455 GHSA-255j-qw47-wjh5
Affected version: >=4.0.0-RC1,<=4.16.16|>=5.0.0-RC1,<=5.8.20
Reported by:
GitHub -
[HIGH] Unauthenticated Craft CMS users can trigger a database backup
PKSA-17hr-tk5g-ht8k CVE-2025-68456 GHSA-v64r-7wg9-23pr
Affected version: >=3.0.0,<=4.16.16|>=5.0.0-RC1,<=5.8.20
Reported by:
GitHub -
[MEDIUM] Craft CMS vulnerable to potential authenticated Remote Code Execution via Twig SSTI
PKSA-9rbz-gy92-qjtd CVE-2025-68454 GHSA-742x-x762-7383
Affected version: >=4.0.0-RC1,<=4.16.16|>=5.0.0-RC1,<=5.8.20
Reported by:
GitHub -
[MEDIUM] Craft CMS vulnerable to Server-Side Request Forgery (SSRF) via GraphQL Asset Upload Mutation
PKSA-4gr3-459g-ssmq CVE-2025-68437 GHSA-x27p-wfqw-hfcc
Affected version: >=3.5.0,<=4.16.16|>=5.0.0-RC1,<=5.8.20
Reported by:
GitHub -
[MEDIUM] Craft CMS vulnerable to potential information disclosure via unchecked asset relocation
PKSA-yj3g-znh5-93sd CVE-2025-68436 GHSA-53vf-c43h-j2x9
Affected version: >=4.0.0-RC1,<=4.16.16|>=5.0.0-RC1,<=5.8.20
Reported by:
GitHub -
[MEDIUM] Craft CMS Potential Remote Code Execution via Twig SSTI
PKSA-cbq7-fhfn-fyt5 CVE-2025-57811 GHSA-crcq-738g-pqvc
Affected version: >=5.0.0-RC1,<=5.8.6|>=4.0.0-RC1,<=4.16.5
Reported by:
GitHub -
[MEDIUM] Craft CMS has a theoretical bypass for CVE-2025-23209
PKSA-xnt5-5jkh-xr5x CVE-2025-54417 GHSA-2vcf-qxv3-2mgw
Affected version: >=5.5.8,<5.8.4|>=4.13.8,<4.16.3
Reported by:
GitHub -
[MEDIUM] Craft CMS stores arbitrary content provided by unauthenticated users in session files
PKSA-ht16-h36v-hxc7 CVE-2025-35939 GHSA-7vrx-9684-xrf2
Affected version: <4.15.3|>=5.0.0-alpha.1,<5.7.5
Reported by:
GitHub -
[HIGH] Craft CMS Contains a Potential Remote Code Execution Vulnerability via Twig SSTI
PKSA-8gxy-mg5h-z15w CVE-2025-46731 GHSA-7c58-g782-9j38
Affected version: >=5.0.0-RC1,<=5.6.14|>=4.0.0-RC1,<=4.14.12
Reported by:
GitHub -
[CRITICAL] Craft CMS Allows Remote Code Execution
PKSA-5c44-5nbz-c7cq CVE-2025-32432 GHSA-f3gw-9ww9-jmc3
Affected version: >=5.0.0-RC1,<=5.6.16|>=4.0.0-RC1,<=4.14.14|>=3.0.0-RC1,<=3.9.14
Reported by:
GitHub