{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-68455", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-12-17T20:22:35.081Z", "datePublished": "2026-01-05T21:59:00.997Z", "dateUpdated": "2026-01-06T19:04:15.687Z"}, "containers": {"cna": {"title": "Craft CMS vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior", "problemTypes": [{"descriptions": [{"cweId": "CWE-470", "lang": "en", "description": "CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5"}, {"name": "https://github.com/craftcms/cms/commit/27f55886098b56c00ddc53b69239c9c9192252c7", "tags": ["x_refsource_MISC"], "url": "https://github.com/craftcms/cms/commit/27f55886098b56c00ddc53b69239c9c9192252c7"}, {"name": "https://github.com/craftcms/cms/commit/6e608a1a5bfb36943f94f584b7548ca542a86fef", "tags": ["x_refsource_MISC"], "url": "https://github.com/craftcms/cms/commit/6e608a1a5bfb36943f94f584b7548ca542a86fef"}, {"name": "https://github.com/craftcms/cms/commit/ec43c497edde0b2bf2e39a119cded2e55f9fe593", "tags": ["x_refsource_MISC"], "url": "https://github.com/craftcms/cms/commit/ec43c497edde0b2bf2e39a119cded2e55f9fe593"}, {"name": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04", "tags": ["x_refsource_MISC"], "url": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04"}], "affected": [{"vendor": "craftcms", "product": "cms", "versions": [{"version": ">= 5.0.0-RC1, < 5.8.21", "status": "affected"}, {"version": ">= 4.0.0-RC1, < 4.16.17", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-05T21:59:00.997Z"}, "descriptions": [{"lang": "en", "value": "Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior. Note that attackers must have administrator access to the Craft Control Panel for this to work. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue."}], "source": {"advisory": "GHSA-255j-qw47-wjh5", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-06T14:26:28.391418Z", "id": "CVE-2025-68455", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-06T19:04:15.687Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "Craft CMS vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior", "source": {"advisory": "GHSA-255j-qw47-wjh5", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "craftcms", "product": "cms", "versions": [{"status": "affected", "version": ">= 5.0.0-RC1, < 5.8.21"}, {"status": "affected", "version": ">= 4.0.0-RC1, < 4.16.17"}]}], "references": [{"url": "https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5", "name": "https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/craftcms/cms/commit/27f55886098b56c00ddc53b69239c9c9192252c7", "name": "https://github.com/craftcms/cms/commit/27f55886098b56c00ddc53b69239c9c9192252c7", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/craftcms/cms/commit/6e608a1a5bfb36943f94f584b7548ca542a86fef", "name": "https://github.com/craftcms/cms/commit/6e608a1a5bfb36943f94f584b7548ca542a86fef", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/craftcms/cms/commit/ec43c497edde0b2bf2e39a119cded2e55f9fe593", "name": "https://github.com/craftcms/cms/commit/ec43c497edde0b2bf2e39a119cded2e55f9fe593", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04", "name": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior. Note that attackers must have administrator access to the Craft Control Panel for this to work. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-470", "description": "CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-05T21:59:00.997Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-68455", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-06T14:26:28.391418Z"}}}], "references": [{"url": "https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5", "tags": ["exploit"]}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-01-06T14:26:31.834Z"}}]}, "cveMetadata": {"cveId": "CVE-2025-68455", "state": "PUBLISHED", "dateUpdated": "2026-01-05T21:59:00.997Z", "dateReserved": "2025-12-17T20:22:35.081Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-05T21:59:00.997Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior. Note that attackers must have administrator access to the Craft Control Panel for this to work. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue."}], "id": "CVE-2025-68455", "lastModified": "2026-01-06T19:16:05.097", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-05T22:15:52.593", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04"}, {"source": "security-advisories@github.com", "url": "https://github.com/craftcms/cms/commit/27f55886098b56c00ddc53b69239c9c9192252c7"}, {"source": "security-advisories@github.com", "url": "https://github.com/craftcms/cms/commit/6e608a1a5bfb36943f94f584b7548ca542a86fef"}, {"source": "security-advisories@github.com", "url": "https://github.com/craftcms/cms/commit/ec43c497edde0b2bf2e39a119cded2e55f9fe593"}, {"source": "security-advisories@github.com", "url": "https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-470"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"created": "2026-01-06T14:16:21.708479+00:00", "updated": "2026-01-06T14:16:21.708505+00:00", "vendors": ["craftcms", "craftcms$PRODUCT$craft_cms"]}