CVE-2025-35939 Craft CMS CVE debrief

Who should care

Organizations running Craft CMS, especially internet-facing sites, managed hosting environments, and teams responsible for web application patching, incident response, or vulnerability management.

Technical summary

The issue class indicates that Craft CMS may accept a web parameter that the application expects to remain unchanged, but which can be influenced externally. In practice, that kind of weakness can lead to unauthorized changes in application behavior if untrusted input reaches sensitive logic. The supplied corpus does not include a CVSS score or additional technical detail, so remediation should be driven by the KEV listing and vendor guidance.

Defensive priority

High. CISA has cataloged this CVE as known exploited, so it should be treated as urgent for exposure assessment, mitigation, and patch planning.

Recommended defensive actions

• Identify all Craft CMS instances, including public-facing, staging, and hosted deployments.
• Check the vendor's security guidance and apply the recommended mitigation or update as soon as possible.
• If mitigations are unavailable, follow CISA's guidance to discontinue use of the product until a safe fix is available.
• Prioritize external-facing systems and any environment that processes untrusted web requests.
• Verify remediation by confirming the vulnerable version or configuration is no longer present.
• Monitor for suspicious application behavior or unexpected parameter handling around affected systems.

Evidence notes

The supplied corpus identifies Craft CMS as the affected product and CISA KEV as the source of exploitation-driven prioritization. CISA's catalog entry lists the vulnerability name, date added, due date, and required action. The official CVE and NVD records are provided as corroborating references, but no CVSS score or deeper technical advisory text is included in the supplied data.

Official resources