Server-Side Request Forgery Vulnerability in Craft CMS by Pixel & Tonic
CVE-2026-25493
6.9MEDIUM
What is CVE-2026-25493?
Craft CMS, a platform for digital experiences, is vulnerable to server-side request forgery (SSRF) due to improper validation in the saveAsset GraphQL mutation. This flaw allows attackers to circumvent SSRF protections by leveraging HTTP redirects to access sensitive cloud metadata endpoints or internal IP addresses. The issue has been addressed in versions 4.16.18 and 5.8.22, urging users to upgrade to secure their installations against potential exploitation.
Affected Version(s)
cms >= 5.0.0-RC1, < 5.8.22 < 5.0.0-RC1, 5.8.22
cms >= 4.0.0-RC1, < 4.16.18 < 4.0.0-RC1, 4.16.18