PT-2026-1343 · Pixel & Tonic · Craft
Published
2026-01-05
·
Updated
2026-01-06
·
CVE-2025-68436
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Craft versions 5.0.0-RC1 through 5.8.20
Craft versions 4.0.0-RC1 through 4.16.16
Description
Craft is a platform for creating digital experiences. Authenticated users on a Craft installation could potentially expose sensitive assets via their user profile photo through maliciously crafted requests.
Recommendations
Update to version 5.8.21
Update to version 4.16.17
Exploit
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Craft