CVE-2025-35939

moderate-risk

Published 2025-05-07

Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could be accessed and executed, possibly using an independent vulnerability. Craft CMS redirects requests that require authentication to the login page and generates a session file on the server at '/var/lib/php/sessions'. Such session files are named 'sess_[session_value]', where '[session_value]' is provided to the client in a 'Set-Cookie' response header. Craft CMS stores the return URL requested by the client without sanitizing parameters. Consequently, an unauthenticated client can introduce arbitrary values, such as PHP code, to a known local file location on the server. Craft CMS versions 5.7.5 and 4.15.3 have been released to address this issue.

Do I need to act?

33.1% chance of exploitation in next 30 days

EPSS score — higher than 67% of all CVEs

CISA KEV: actively exploited in the wild

On the Known Exploited Vulnerabilities catalog — federal agencies must patch

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.3/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Craft Cms

Affected Vendors

Craftcms

References (6)

Patch https://github.com/craftcms/cms/pull/17220

Release Notes https://github.com/craftcms/cms/releases/tag/4.15.3

Release Notes https://github.com/craftcms/cms/releases/tag/5.7.5

Third Party Advisory https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/...

VDB Entry https://www.cve.org/CVERecord?id=CVE-2025-35939

US Government Resource https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-...

/ 100

moderate-risk

Severity 21/34 · High

Exploitability 23/34 · High

Exposure 5/34 · Minimal