Arbitrary File Write Vulnerability in Craft CMS by Pixel & Tonic
CVE-2025-35939
Key Information:
Badges
What is CVE-2025-35939?
Craft CMS is vulnerable to an arbitrary file write issue where unauthenticated users can store unvalidated content in session files on the server. This flaw allows attackers to potentially introduce malicious code via crafted session values. The redirection of authentication-required requests to the login page facilitates the exploitation of this vulnerability, as the system saves dangerous content without proper sanitization. The issue has been addressed in the latest updates for affected versions.
CISA has reported CVE-2025-35939
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2025-35939 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace
The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Affected Version(s)
CMS 0 < 5.7.5
CMS 0 < 4.15.3
CMS 5.7.5
References
CVSS V4
Timeline
- ๐พ
Exploit known to exist
- ๐ฆ
CISA Reported
Vulnerability published
Vulnerability Reserved
