CVE-2025-68436
Information Disclosure via User Profile Photo in Craft CMS
Publication date: 2026-01-05
Last updated on: 2026-01-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| craftcms | craft | 5.8.21 |
| craftcms | craft | 4.16.17 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects the Craft platform versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16. Authenticated users on a Craft installation could potentially expose sensitive assets through their user profile photo by sending maliciously crafted requests. The issue can be mitigated by updating to the patched versions 5.8.21 and 4.16.17.
How can this vulnerability impact me? :
The vulnerability could lead to the exposure of sensitive assets via user profile photos, which may compromise confidentiality of information stored or displayed on the Craft platform. This could result in unauthorized access to sensitive data by authenticated users exploiting the flaw.
What immediate steps should I take to mitigate this vulnerability?
Update your Craft installation to the patched versions 5.8.21 or 4.16.17 to mitigate the vulnerability related to exposure of sensitive assets via user profile photos.