CVE-2025-68455
Craft CMS vulnerable to potential authenticated Remote Code Execution via malicious attached BehaviorCraft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior. Note that attackers must have administrator access to the Craft Control Panel for this to work. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.
We have discovered 3 live websites that are affected by CVE-2025-68455.
Affected Software
| Product |  CrafterCMS |
| Category | Content Management System |
| Vulnerable Domains | 3 live websites (100% of CrafterCMS install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 1 versions ( 100% of all versions) |
Common Weakness Enumeration
CWE-470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')Details
- Published - Jan 5, 2026
- Updated - Jan 6, 2026
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2025-68455 United States | 3 websites |
Website Distribution by TLD
Number of websites using CVE-2025-68455| .at | 1 websites |
| .com | 1 websites |
| .de | 1 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2025-68455
Top websites that are affected by CVE-2025-68455. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ********.at | United States | **,***,*** | |
| *******.de | United States | **,***,*** | |
| ***************.com | United States | **,***,*** |
FAQ
CVE-2025-68455 is Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') in CrafterCMS
A total of 3 websites have been identified as vulnerable to CVE-2025-68455, based on global website indexing conducted by WebTechSurvey.
The CrafterCMS is affected by the CVE-2025-68455 vulnerability.
CrafterCMS versions up to 5.8.21 are vulnerable to CVE-2025-68455.
CVE-2025-68455 is resolved in version 5.8.21 of CrafterCMS.
References
- https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5
- https://github.com/craftcms/cms/commit/27f55886098b56c00ddc53b69239c9c9192252c7
- https://github.com/craftcms/cms/commit/6e608a1a5bfb36943f94f584b7548ca542a86fef
- https://github.com/craftcms/cms/commit/ec43c497edde0b2bf2e39a119cded2e55f9fe593
- https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04