REPRO-2026-00054 MEDIUM Verified

Craft CMS: Unauthenticated Database Backup Trigger

craftcms/cms (composer) Jan 8, 2026

Confidence HIGH

Reproduced in 36m 45s

Tool calls 51

What's the vulnerability?

Unauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure.

Root Cause Analysis

One Command

Verify with pruva-verify

Run the Pruva CLI to automatically fetch and execute the reproduction script.

pruva-verify REPRO-2026-00054

or pruva-verify GHSA-v64r-7wg9-23pr

or pruva-verify CVE-2025-68456

Install: curl -fsSL https://pruva.dev/install.sh | sh

Or Run Manually

Download the script

curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00054/artifacts/bundle/reproduction_steps.sh

Make executable

chmod +x reproduction_steps.sh

Run the script

./reproduction_steps.sh

Run in a VM, container, or disposable environment. This exploits a real vulnerability.

How Pruva Reproduced This

Watch the AI agent's step-by-step process.

Loading session...

Artifacts

bundle/reproduction_steps.sh11.5 KB

bundle/repro/rca_report.md3.7 KB

bundle/ticket.md4.3 KB

bundle/logs/php-server-20260108-105857.log97.4 KB

bundle/logs/run-20260108-111029.log3.9 KB

bundle/logs/run-20260108-111630.log5.9 KB

bundle/logs/run-20260108-110610.log4.5 KB

bundle/logs/run-20260108-111918.log30.0 KB

bundle/logs/php-server-20260108-111918.log9.1 KB

bundle/logs/mysql-20260108-110310.log0.1 KB

bundle/logs/curl-20260108-105607.log1.8 KB

bundle/logs/run-20260108-105857.log40.3 KB

bundle/logs/run-20260108-105607.log31.2 KB

bundle/logs/mysql-20260108-105857.log0.1 KB

bundle/logs/run-20260108-110310.log20.8 KB

bundle/logs/mysql-20260108-105607.log0.1 KB

bundle/logs/run-20260108-111338.log3.9 KB

bundle/logs/php-server-20260108-105607.log0.5 KB

bundle/logs/run-20260108-111757.log2.9 KB