Feb 28, 2026·5 min read·19 visits
CVE-2025-68436 is a Mass Assignment vulnerability in Craft CMS versions 4.x and 5.x. It permits authenticated users to assign any asset ID as their profile photo. This can expose sensitive files (PDFs, backups, private images) by relocating them to public profile directories or granting the attacker view permissions. The fix involves explicitly excluding 'photoId' from safe attributes.
A logic vulnerability in Craft CMS allows authenticated users to associate arbitrary system assets with their user profile via a mass assignment flaw. By manipulating the 'photoId' parameter during a profile update, an attacker can link sensitive files—potentially restricted to administrators or other users—to their own account, leading to unauthorized access and potential file relocation to public directories.
Craft CMS, a flexible content management system built on the Yii2 framework, contains an Information Disclosure vulnerability rooted in improper input handling during user profile updates. The system leverages a 'Mass Assignment' pattern to populate model attributes from user requests. However, the User model failed to exclude the photoId attribute from the list of 'safe' attributes that can be modified directly by end-users.
This oversight exposes a significant attack surface: the asset management system. In Craft CMS, files (assets) are referenced by numeric IDs. Because the application did not validate whether the supplied photoId belonged to an asset the user was authorized to use—or if it was an appropriate image file—an attacker could bind arbitrary assets to their profile. This action forces the system to treat the target file as a profile photo, potentially moving it to a publicly accessible web directory or exposing its metadata through standard user profile APIs.
The vulnerability is a classic Mass Assignment (or Overposting) flaw, exacerbated by the asset handling logic in Craft CMS. The underlying Yii2 framework provides a mechanism to populate model properties massively from an input array (typically $_POST). Developers control which attributes are susceptible to this via the safeAttributes() method or validation rules.
In affected versions, the User element (which extends the base Element class) did not explicitly blacklist photoId from mass assignment. When a save-user action is triggered, the controller invokes code similar to $user->setAttributes($request->post()). Consequently, if a malicious payload includes photoId, the framework blindly updates the user's record to reference that ID.
Crucially, the side effects of changing a profile photo in Craft CMS include asset relocation. The CMS logic often attempts to consolidate user photos into a specific storage volume. If an attacker assigns a sensitive document (e.g., ID 500, representing a private contract PDF) as their photo, the system may move that file from a secure, internal volume to the public 'User Photos' volume, effectively bypassing all original access control lists (ACLs) applied to that asset.
The remediation involves restricting the photoId attribute so it cannot be set via mass assignment. The patch modifies src/elements/User.php to explicitly remove this attribute from the safe list.
Below is the comparison of the logic before and after the patch:
Vulnerable Code (Implicit Behavior):
Previously, safeAttributes() was not overridden in a way that excluded photoId, or it relied on parent behavior that permitted it. This allowed the controller to map $_POST['photoId'] directly to $user->photoId.
Patched Code (Explicit Exclusion):
In the patched version, the developers override safeAttributes to ensure photoId is stripped from the allowable input list. This forces any photo updates to go through dedicated, validated controller actions (like uploading a new file) rather than direct property assignment.
// src/elements/User.php
/**
* @inheritdoc
*/
public function safeAttributes(): array
{
// PATCH: Explicitly remove 'photoId' from the list of attributes
// that can be mass-assigned from request data.
// This prevents attackers from setting arbitrary asset IDs via POST.
return ArrayHelper::withoutValue(parent::safeAttributes(), 'photoId');
}By using ArrayHelper::withoutValue, the patch ensures that even if photoId is technically a valid property of the model, it is never considered 'safe' for bulk assignment from user input.
Exploiting this vulnerability requires a low-privileged authenticated session (e.g., a standard user account). The attack vector targets the save-user action used when users update their own profiles.
1. Reconnaissance: The attacker first attempts to enumerate Asset IDs. Since IDs are typically sequential integers, an attacker might guess IDs or leak them via other minor information disclosures (e.g., iterating through asset endpoints if available).
2. Payload Construction:
The attacker intercepts their own profile update request using a proxy (like Burp Suite) and appends the photoId parameter.
POST /index.php?p=admin/actions/users/save-user HTTP/1.1
Host: target-cms.com
Cookie: [Session Cookies]
Content-Type: application/x-www-form-urlencoded
userId=105&firstName=Attacker&photoId=423. Execution & Access:
If Asset ID 42 exists (e.g., a database backup file backup.sql uploaded by an admin), Craft CMS updates the attacker's user record. The system may then process this asset as an image. Even if image processing fails, the association persists. The attacker then visits their public profile or inspects the URL of their 'avatar' to retrieve the file path. If the system relocated the asset to a public volume, the file is now downloadable by anyone.
The impact of CVE-2025-68436 is primarily Confidentiality Loss. The severity depends heavily on the sensitivity of the assets stored within the CMS.
Data Exposure:
.env file stored as an asset).Metadata Leakage: Even if the file content cannot be rendered (e.g., a binary file treated as an image), the attacker gains knowledge of the file's existence, original filename, and size. This metadata can facilitate further attacks.
CVSS Context:
The vulnerability is rated Medium (6.5) because it requires authentication (PR:L). However, on systems with open registration, the barrier to entry is negligible. The attack complexity is Low (AC:L), and no user interaction (UI:N) is required from a victim.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N| Product | Affected Versions | Fixed Version |
|---|---|---|
Craft CMS Pixel & Tonic | >= 4.0.0-RC1, < 4.16.17 | 4.16.17 |
Craft CMS Pixel & Tonic | >= 5.0.0-RC1, < 5.8.21 | 5.8.21 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-200 (Info Disclosure) / CWE-915 (Mass Assignment) |
| CVSS v3.1 | 6.5 (Medium) |
| Attack Vector | Network (Authenticated) |
| Impact | High Confidentiality Loss |
| Exploit Status | PoC Available |
| EPSS Score | 0.0004 (Low Probability) |
Exposure of Sensitive Information to an Unauthorized Actor
An in-depth security audit of the skillctl command-line package manager revealed five critical and high-severity security vulnerabilities. The identified flaws span parameter-level command argument injection via the source_sha parameter, uncontrolled resource consumption (Denial of Service) through unnamed UNIX FIFOs and character devices, directory path traversal in the destination argument, commit-message trailer forgery via newline injection in skill names, and local credential exfiltration leveraging UNIX hardlinks. These vulnerabilities represent significant vectors for workstation compromise when executing agentic tasks in repositories containing untrusted files or pull requests. Remediation was introduced in version v0.1.3.
CVE-2026-48153 is a Server-Side Request Forgery (SSRF) vulnerability in the Budibase OAuth2 SDK prior to version 3.39.0. It allows authenticated low-privileged users to bypass outbound network security blacklists and send arbitrary requests to internal subnets or cloud metadata services.
The self-hosted Slack Nebula VPN control plane, nebula-mesh, stored high-privilege enrollment tokens in plaintext inside its SQLite database. This flaw allowed any adversary with read access to the database to retrieve pending tokens and enroll unauthorized hosts into the secure VPN mesh.
The devbridge-autocomplete package (jQuery-Autocomplete) fails to escape category headers and suggestion values when using default formatters formatGroup and formatResult. If suggestions contain untrusted input, arbitrary HTML and JavaScript execute directly in the victim's browser session.
OpenCTI versions prior to 6.1.9 fail to properly restrict GraphQL schema introspection queries due to a weak pattern-matching implementation. An unauthenticated attacker can bypass the introspection block list by stripping whitespace and carriage returns, enabling complete reconnaissance of the GraphQL schema.
An unrestricted file upload vulnerability in Paymenter's support ticket system (prior to version 1.2.11) allows authenticated users to upload arbitrary PHP scripts to a web-accessible directory. The application fails to validate file extensions or MIME types before storing the files, enabling remote code execution under the web server's privilege context.