CVE-2026-25494
CVE-2026-25494 is a medium-severity vulnerability in Craftcms Craft Cms with a CVSS 3.x base score of 6.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-918.
Key facts
- Severity: Medium (CVSS 3.x base score 6.5)
- CVSS v4: 6.9
- EPSS exploit prediction: 0% (28th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-6840
- Weakness: CWE-918
- Affected product: Craftcms Craft Cms
- Published:
- Last modified:
Description
Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveAsset GraphQL mutation uses filter_var(..., FILTER_VALIDATE_IP) to block a specific list of IP addresses. However, alternative IP notations (hexadecimal, mixed) are not recognized by this function, allowing attackers to bypass the blocklist and access cloud metadata services. This issue is patched in versions 4.16.18 and 5.8.22.
Frequently asked questions
- What is CVE-2026-25494?
- Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveAsset GraphQL mutation uses filter_var(..., FILTER_VALIDATE_IP) to block a specific list of IP addresses. However, alternative IP notations (hexadecimal, mixed) are not recognized by this function, allowing attackers to bypass the blocklist and access cloud metadata services. This issue is patched in versions 4.16.18 and 5.8.22.
- How severe is CVE-2026-25494?
- CVE-2026-25494 has a CVSS 3.x base score of 6.5, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is low, integrity low, and availability none.
- Is CVE-2026-25494 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (28th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2026-25494?
- CVE-2026-25494 primarily affects Craftcms Craft Cms. In total, 6 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2026-25494?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2026-25494 have an EU (EUVD) identifier?
- Yes. CVE-2026-25494 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-6840.
- When was CVE-2026-25494 published?
- CVE-2026-25494 was published on 2026-02-09 and last updated on 2026-06-17.
References
- https://github.com/craftcms/cms/commit/d49e93e5ba0c48939ce5eaa6cd9b4a990542d8b2
- https://github.com/craftcms/cms/releases/tag/5.8.22
- https://github.com/craftcms/cms/security/advisories/GHSA-m5r2-8p9x-hp5m
Affected products (6)
- cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*
- cpe:2.3:a:craftcms:craft_cms:4.0.0:-:*:*:*:*:*:*
- cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*
More vulnerabilities in Craftcms Craft Cms
- CVE-2025-32432 — Critical (CVSS 10.0): Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from…
- CVE-2023-41892 — Critical (CVSS 10.0): Craft CMS is a platform for creating digital experiences. This is a high-impact, low-complexity attack vector. Users…
- CVE-2026-32267 — Critical (CVSS 9.8): Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.6 and from version…
- CVE-2024-56145 — Critical (CVSS 9.8): Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Users of affected…
- CVE-2024-37843 — Critical (CVSS 9.8): Craft CMS up to v3.7.31 was discovered to contain a SQL injection vulnerability via the GraphQL API endpoint.
- CVE-2021-27903 — Critical (CVSS 9.8): An issue was discovered in Craft CMS before 3.6.7. In some circumstances, a potential Remote Code Execution…
All CVEs affecting Craftcms Craft Cms →
Other CWE-918 (Server-Side Request Forgery (SSRF)) vulnerabilities
- CVE-2026-47938 — Critical (CVSS 10.0): Adobe Campaign Classic (ACC) versions 7.4.3 build 9394 and earlier are affected by a Server-Side Request Forgery (SSRF)…
- CVE-2026-35431 — Critical (CVSS 10.0): Server-side request forgery (ssrf) in Microsoft Entra ID Entitlement Management allows an unauthorized attacker to…
- CVE-2026-32186 — Critical (CVSS 10.0): Server-side request forgery (ssrf) in Microsoft Bing allows an unauthorized attacker to elevate privileges over a…
- CVE-2026-33107 — Critical (CVSS 10.0): Server-side request forgery (ssrf) in Azure Databricks allows an unauthorized attacker to elevate privileges over a…
- CVE-2026-32871 — Critical (CVSS 10.0): FastMCP is a Pythonic way to build MCP servers and clients. Prior to version 3.2.0, the OpenAPIProvider in FastMCP…
- CVE-2026-32169 — Critical (CVSS 10.0): Server-side request forgery (ssrf) in Azure Cloud Shell allows an unauthorized attacker to elevate privileges over a…
Browse all CWE-918 (Server-Side Request Forgery (SSRF)) vulnerabilities →