Main Vulnerability Database Vulnerabilities #VU110085

#VU110085 Input validation error in Craft CMS - CVE-2025-35939

Published: June 3, 2025

Vulnerability identifier: #VU110085

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A/U:Green

CVE-ID: CVE-2025-35939

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: The vulnerability is being exploited in the wild

Vulnerable software:
Craft CMS

Software vendor:
Pixel & Tonic, Inc.

Description

The vulnerability allows a remote attacker to write arbitrary contents to session files.

The vulnerability exists due to Craft CMS does not sanitize data before writing them into session files with predictable file names and location. A remote attacker can abuse this to write arbitrary PHP code into a known location of the system and later execute it using a different vulnerability.

Remediation

Install updates from vendor's website.

External links

https://github.com/craftcms/cms/pull/17220
https://github.com/craftcms/cms/releases/tag/4.15.3
https://github.com/craftcms/cms/releases/tag/5.7.5
https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-147-01.json
https://www.cve.org/CVERecord?id=CVE-2025-35939

#VU110085 Input validation error in Craft CMS - CVE-2025-35939

Description

Remediation

External links

Please verify you're human