Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-wnr9-2wyr-wug4
Vulnerability ID VCID-wnr9-2wyr-wug4
Aliases CVE-2025-68436
GHSA-53vf-c43h-j2x9
Summary Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, authenticated users on a Craft installation could potentially expose sensitive assets via their user profile photo via maliciously crafted requests. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00038 https://api.first.org/data/v1/epss?cve=CVE-2025-68436
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-53vf-c43h-j2x9
cvssv4 4.9 https://github.com/craftcms/cms
generic_textual MODERATE https://github.com/craftcms/cms
cvssv4 4.9 https://github.com/craftcms/cms/commit/4bcb0db554e273b66ce3b75263a13414c2368fc9
generic_textual MODERATE https://github.com/craftcms/cms/commit/4bcb0db554e273b66ce3b75263a13414c2368fc9
ssvc Track https://github.com/craftcms/cms/commit/4bcb0db554e273b66ce3b75263a13414c2368fc9
cvssv3.1_qr MODERATE https://github.com/craftcms/cms/security/advisories/GHSA-53vf-c43h-j2x9
cvssv4 4.9 https://github.com/craftcms/cms/security/advisories/GHSA-53vf-c43h-j2x9
generic_textual MODERATE https://github.com/craftcms/cms/security/advisories/GHSA-53vf-c43h-j2x9
ssvc Track https://github.com/craftcms/cms/security/advisories/GHSA-53vf-c43h-j2x9
cvssv4 4.9 https://nvd.nist.gov/vuln/detail/CVE-2025-68436
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2025-68436
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2025-68436
4bcb0db554e273b66ce3b75263a13414c2368fc9 https://github.com/craftcms/cms/commit/4bcb0db554e273b66ce3b75263a13414c2368fc9
CVE-2025-68436 https://nvd.nist.gov/vuln/detail/CVE-2025-68436
GHSA-53vf-c43h-j2x9 https://github.com/advisories/GHSA-53vf-c43h-j2x9
GHSA-53vf-c43h-j2x9 https://github.com/craftcms/cms/security/advisories/GHSA-53vf-c43h-j2x9
No exploits are available.
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U Found at https://github.com/craftcms/cms
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U Found at https://github.com/craftcms/cms/commit/4bcb0db554e273b66ce3b75263a13414c2368fc9
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T15:35:10Z/ Found at https://github.com/craftcms/cms/commit/4bcb0db554e273b66ce3b75263a13414c2368fc9
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U Found at https://github.com/craftcms/cms/security/advisories/GHSA-53vf-c43h-j2x9
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T15:35:10Z/ Found at https://github.com/craftcms/cms/security/advisories/GHSA-53vf-c43h-j2x9
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U Found at https://nvd.nist.gov/vuln/detail/CVE-2025-68436
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.11692
EPSS Score 0.00038
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T16:58:58.305930+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2025/68xxx/CVE-2025-68436.json 38.6.0