Server-Side Request Forgery Vulnerability in Craft CMS by Pixel & Tonic
CVE-2026-25493

6.9MEDIUM

Key Information:

Vendor

Craftcms

Status
Cms
Vendor
CVE Published:
9 February 2026

What is CVE-2026-25493?

Craft CMS, a platform for digital experiences, is vulnerable to server-side request forgery (SSRF) due to improper validation in the saveAsset GraphQL mutation. This flaw allows attackers to circumvent SSRF protections by leveraging HTTP redirects to access sensitive cloud metadata endpoints or internal IP addresses. The issue has been addressed in versions 4.16.18 and 5.8.22, urging users to upgrade to secure their installations against potential exploitation.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

cms >= 5.0.0-RC1, < 5.8.22 < 5.0.0-RC1, 5.8.22

cms >= 4.0.0-RC1, < 4.16.18 < 4.0.0-RC1, 4.16.18

References

https://github.com/craftcms/cms/security/advisories/GHSA-...
x_refsource_CONFIRM
https://github.com/craftcms/cms/commit/0974055634af68998f...
x_refsource_MISC
https://github.com/craftcms/cms/releases/tag/5.8.22
x_refsource_MISC

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.