CVE-2026-25492

MEDIUM EPSS 33.6%
Published Feb 9, 20264mo ago · Modified Jun 17, 20261w ago
5.3 CVSS 4.0
Medium
Find Similar
Published Feb 9, 2026 4mo ago
Last Modified Jun 17, 2026 1w ago

Description

Craft CMS is a content management system. In Craft versions 3.5.0 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the save_images_Asset GraphQL mutation can be abused to fetch internal URLs by providing a domain name that resolves to an internal IP address, bypassing hostname validation. When a non-image file extension such as .txt is allowed, downstream image validation is bypassed, which can allow an authenticated attacker with permission to use save_images_Asset to retrieve sensitive data such as AWS instance metadata credentials from the underlying host. This issue is patched in versions 4.16.18 and 5.8.22.

CVSS Details

Base Score
5.3
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
33.6% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-918 Server-Side Request Forgery (SSRF) Validation

Affected Products 2

VendorProductVersionRange
craftcmscraft_cms*≥3.5.0  –  <4.16.18
craftcmscraft_cms*≥5.0.0  –  <5.8.22

References 3

  • github.com https://github.com/craftcms/cms/commit/e838a221df2ab15cd54248f22fc8355d47df29ff
    Patch
  • github.com https://github.com/craftcms/cms/releases/tag/5.8.22
    ProductRelease Notes
  • github.com https://github.com/craftcms/cms/security/advisories/GHSA-96pq-hxpw-rgh8
    ExploitPatchVendor Advisory

Remediation

  • github.com https://github.com/craftcms/cms/commit/e838a221df2ab15cd54248f22fc8355d47df29ff
    Patch
  • github.com https://github.com/craftcms/cms/security/advisories/GHSA-96pq-hxpw-rgh8
    ExploitPatchVendor Advisory