Main Vulnerability Database Vulnerabilities #VU110085

Input validation error in Craft CMS - CVE-2025-35939

Published: June 3, 2025

Vulnerability identifier: #VU110085

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A/U:Green

CVE-ID: CVE-2025-35939

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: The vulnerability is being exploited in the wild

Vendor: Pixel & Tonic, Inc.

Affected software:
Craft CMS

Detailed vulnerability description

The vulnerability allows a remote attacker to write arbitrary contents to session files.

The vulnerability exists due to Craft CMS does not sanitize data before writing them into session files with predictable file names and location. A remote attacker can abuse this to write arbitrary PHP code into a known location of the system and later execute it using a different vulnerability.

How to mitigate CVE-2025-35939

Install updates from vendor's website.

Sources

https://github.com/craftcms/cms/pull/17220
https://github.com/craftcms/cms/releases/tag/4.15.3
https://github.com/craftcms/cms/releases/tag/5.7.5
https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-147-01.json
https://www.cve.org/CVERecord?id=CVE-2025-35939

Input validation error in Craft CMS - CVE-2025-35939

Detailed vulnerability description

How to mitigate CVE-2025-35939

Sources

Please verify you're human