Database Backup Vulnerability in Craft CMS by Pixel & Tonic
CVE-2025-68456

7HIGH

Key Information:

Vendor

Craftcms

Status
Cms
Vendor
CVE Published:
5 January 2026

What is CVE-2025-68456?

Craft CMS, created by Pixel & Tonic, has a security flaw affecting multiple versions that allows unauthenticated users to trigger database backup operations through specific administrative actions. This could result in resource exhaustion or unintended information exposure. Users are strongly advised to update to version 5.8.21 or 4.16.17 to resolve this issue. Craft 3 users should transition to the latest Craft 4 or 5 releases, which include essential security enhancements.

Affected Version(s)

cms >= 5.0.0-RC1, < 5.8.21 < 5.0.0-RC1, 5.8.21

cms >= 3.0.0, < 4.16.17 < 3.0.0, 4.16.17

References

https://github.com/craftcms/cms/security/advisories/GHSA-...
x_refsource_CONFIRM
https://github.com/craftcms/cms/commit/f83d4e0c6b90674320...
x_refsource_MISC
https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#582...
x_refsource_MISC

CVSS V4

Score:
7
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.