CVE-2026-25492MEDIUM≥ 5.0.0-RC1, < 5.8.22·≥ 3.5.0, < 4.16.182026-02-09
CVE-2026-25492 [MEDIUM] CWE-918 Craft CMS: save_images_Asset graphql mutation can be abused to exfiltrate AWS credentials of underlying host
Craft CMS: save_images_Asset graphql mutation can be abused to exfiltrate AWS credentials of underlying host
### Summary
- The save_images_Asset graphql mutation allows a user to give a url of an image to download. (Url must use a domain, not a raw IP.)
- Attacker sets up domain attacker.domain with an A record of something like 169.254.169.254 (special A
ghsaosv