CVE-2026-25492Server-Side Request Forgery in Craft CMS

CWE-918Server-Side Request Forgery5 documents5 sources
Severity
5.3MEDIUMNVD
EPSS
0.0%
top 97.77%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Craftcms Craft CMSCraftcms CraftCraftcms CMS
Timeline
PublishedFeb 9

Description

Craft CMS is a content management system. In Craft versions 3.5.0 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the save_images_Asset GraphQL mutation can be abused to fetch internal URLs by providing a domain name that resolves to an internal IP address, bypassing hostname validation. When a non-image file extension such as .txt is allowed, downstream image validation is bypassed, which can allow an authenticated attacker with permission to use save_images_Asset to retrieve sensitive data such

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Packages3 packages

Packagistcraftcms/craft5.0.0-RC15.8.22+1
NVDcraftcms/craft_cms3.5.04.16.18+1
CVEListV5craftcms/cms>= 3.5.0, < 4.16.18, >= 5.0.0-RC1, < 5.8.22+1

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

3
OSV
Craft CMS: save_images_Asset graphql mutation can be abused to exfiltrate AWS credentials of underlying host2026-02-09
GHSA
Craft CMS: save_images_Asset graphql mutation can be abused to exfiltrate AWS credentials of underlying host2026-02-09
CVEList
Craft has a save_images_Asset graphql mutation can be abused to exfiltrate AWS credentials of underlying host2026-02-09

🕵️Threat Intelligence

1
Wiz
CVE-2026-25492 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-25492 — Server-Side Request Forgery | cvebase