CVE-2025-35939
unknown
KEV
CVSS v3
—
CVSS v2
—
VIR risk
1.5
Description
Craft CMS contains an external control of assumed-immutable web parameter vulnerability. This vulnerability could allow an unauthenticated client to introduce arbitrary values, such as PHP code, to a known local file location on the server. This vulnerability could be chained with CVE-2024-58136 as represented by CVE-2025-32432.
CISA KEV
- Vendor
- Craft CMS
- Product
- Craft CMS
- Due date
- 2025-06-23
Predictions
Exploit likelihood
99%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: cisa-kev — https://github.com/craftcms/cms/pull/17220 ; https://nvd.nist.gov/vuln/detail/CVE-2025-35939
Exploits
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Packagist | craftcms/cms | >=5.0.0-alpha.1,<5.7.5 | 5.7.5 |
| Packagist | craftcms/cms | <4.15.3 | 4.15.3 |
References
- https://nvd.nist.gov/vuln/detail/CVE-2025-35939
- https://github.com/craftcms/cms/pull/17220
- https://github.com/craftcms/cms/commit/e4c7bac8f31010aee048409f9ef6f744a83146b2
- https://github.com/craftcms/cms
- https://github.com/craftcms/cms/releases/tag/4.15.3
- https://github.com/craftcms/cms/releases/tag/5.7.5
- https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-147-01.json
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-35939
- https://www.cve.org/CVERecord?id=CVE-2025-35939
- https://github.com/craftcms/cms/pull/17220 ; https://nvd.nist.gov/vuln/detail/CVE-2025-35939
Verify integrity in audit chain (admin only). AS-IS.