Database Backup Vulnerability in Craft CMS by Pixel & Tonic
CVE-2025-68456
7HIGH
What is CVE-2025-68456?
Craft CMS, created by Pixel & Tonic, has a security flaw affecting multiple versions that allows unauthenticated users to trigger database backup operations through specific administrative actions. This could result in resource exhaustion or unintended information exposure. Users are strongly advised to update to version 5.8.21 or 4.16.17 to resolve this issue. Craft 3 users should transition to the latest Craft 4 or 5 releases, which include essential security enhancements.
Affected Version(s)
cms >= 5.0.0-RC1, < 5.8.21 < 5.0.0-RC1, 5.8.21
cms >= 3.0.0, < 4.16.17 < 3.0.0, 4.16.17
References
CVSS V4
Score:
7
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None
Timeline
Vulnerability published
Vulnerability Reserved