Vulnerability Description
Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveAsset GraphQL mutation validates the initial URL hostname and resolved IP against a blocklist, but Guzzle follows HTTP redirects by default. An attacker can bypass all SSRF protections by hosting a redirect that points to cloud metadata endpoints or any internal IP addresses. This issue is patched in versions 4.16.18 and 5.8.22.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Craftcms | Craft Cms | < 4.16.18 |
Related Weaknesses (CWE)
References
- https://github.com/craftcms/cms/commit/0974055634af68998f67850ab2045d8aaa19fa98Patch
- https://github.com/craftcms/cms/releases/tag/5.8.22Release Notes
- https://github.com/craftcms/cms/security/advisories/GHSA-8jr8-7hr4-vhfxExploitVendor AdvisoryPatch
FAQ
What is CVE-2026-25493?
CVE-2026-25493 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveAsset GraphQL mutation validates the initial URL hostname and re...
How severe is CVE-2026-25493?
CVE-2026-25493 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-25493?
Check the references section above for vendor advisories and patch information. Affected products include: Craftcms Craft Cms.