Home > Vulnerability Database > CVE-2025-68436

Mend.io Vulnerability Database

CVE-2025-68436

Good to know:

Date: January 5, 2026

Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, authenticated users on a Craft installation could potentially expose sensitive assets via their user profile photo via maliciously crafted requests. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.

Severity Score

6.5

Related Resources (5)

Url: https://github.com/craftcms/cms/commit/4bcb0db554e273b66ce3b75263a13414c2368fc9

Url: https://github.com/craftcms/cms/security/advisories/GHSA-53vf-c43h-j2x9

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-68436

Url: https://github.com/craftcms/cms

Url: https://www.mend.io/vulnerability-database/CVE-2025-68436

Severity Score

6.5

Weakness Type (CWE)

Exposure of Sensitive Information to an Unauthorized Actor

CWE-200

Top Fix

Upgrade Version

Upgrade to version craftcms/cms - 5.8.21;craftcms/cms - 4.16.17;https://github.com/craftcms/cms.git - 4.16.17;https://github.com/craftcms/cms.git - 5.8.21

Learn More

CVSS v3.1

Base Score:	6.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-68436

Good to know:

Date: January 5, 2026

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?