Description

Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 3.0.0 through 4.16.16, unauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue. Craft 3 users should update to the latest Craft 4 and 5 releases, which include the fixes.

Related CPE's

a

craftcms

craft_cms

4

References

https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04

ProductRelease Notes

https://github.com/craftcms/cms/commit/f83d4e0c6b906743206b4747db4abf8164b8da39

Patch

https://github.com/craftcms/cms/security/advisories/GHSA-v64r-7wg9-23pr

ExploitVendor Advisory

https://github.com/craftcms/cms/security/advisories/GHSA-v64r-7wg9-23pr

ExploitVendor Advisory

Weaknesses

[email protected]

Secondary
CWE-202CWE-770

[email protected]

Primary
CWE-770

CVSS impact metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

9.1 · Critical

Information

Source identifier

[email protected]

Vulnerability status

Analyzed

Published

2026-01-05T22:15:52.727Z

1 week ago

Last modified

2026-01-12T18:19:38.220Z

6 hours ago