QwikSec

Security Database

CVE

CWE

Training

CVE-2025-68456

Published: Jan 5, 2026

Modified: Jan 6, 2026

PUBLISHED

Description

Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 3.0.0 through 4.16.16, unauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue. Craft 3 users should update to the latest Craft 4 and 5 releases, which include the fixes.

Vendor	Product	Versions
craftcms	cms	affected `>= 5.0.0-RC1, < 5.8.21` affected `>= 3.0.0, < 4.16.17`

Weaknesses (CWE)

References

https://github.com/craftcms/cms/security/advisories/GHSA-v64r-7wg9-23pr

x_refsource_CONFIRM

https://github.com/craftcms/cms/commit/f83d4e0c6b906743206b4747db4abf8164b8da39

x_refsource_MISC

https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.