Information Exposure in Craft CMS Versions Affecting User Profile Photos
CVE-2025-68436

4.9MEDIUM

Key Information:

Vendor: Craftcms
Status: Cms
Vendor: CVE Published:; 5 January 2026

What is CVE-2025-68436?

Craft CMS contains a vulnerability that allows authenticated users to potentially expose sensitive assets through maliciously crafted requests made to their user profile photos. This affects versions ranging from 5.0.0-RC1 to 5.8.20 and 4.0.0-RC1 to 4.16.16. Users are strongly encouraged to update to the latest patched versions (5.8.21 and 4.16.17) to protect against these risks.

Affected Version(s)

cms >= 5.0.0-RC1, < 5.8.21 < 5.0.0-RC1, 5.8.21

cms >= 4.0.0-RC1, < 4.16.17 < 4.0.0-RC1, 4.16.17

References

https://github.com/craftcms/cms/security/advisories/GHSA-...

x_refsource_CONFIRM

https://github.com/craftcms/cms/commit/4bcb0db554e273b66c...

x_refsource_MISC

CVSS V4

Score:

4.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Jan 5, 2026
Vulnerability Reserved
Dec 17, 2025

JSON

Craftcms

What is CVE-2025-68436?

Affected Version(s)

References

CVSS V4

Timeline