Vulnerability Description
Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveAsset GraphQL mutation uses filter_var(..., FILTER_VALIDATE_IP) to block a specific list of IP addresses. However, alternative IP notations (hexadecimal, mixed) are not recognized by this function, allowing attackers to bypass the blocklist and access cloud metadata services. This issue is patched in versions 4.16.18 and 5.8.22.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Craftcms | Craft Cms | < 4.16.18 |
Related Weaknesses (CWE)
References
- https://github.com/craftcms/cms/commit/d49e93e5ba0c48939ce5eaa6cd9b4a990542d8b2Patch
- https://github.com/craftcms/cms/releases/tag/5.8.22Release Notes
- https://github.com/craftcms/cms/security/advisories/GHSA-m5r2-8p9x-hp5mExploitVendor AdvisoryPatch
FAQ
What is CVE-2026-25494?
CVE-2026-25494 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveAsset GraphQL mutation uses filter_var(..., FILTER_VALIDATE_IP)...
How severe is CVE-2026-25494?
CVE-2026-25494 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-25494?
Check the references section above for vendor advisories and patch information. Affected products include: Craftcms Craft Cms.