QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2026-25493

Back to search

CVE-2026-25493

Published: Feb 9, 2026

Modified: Feb 10, 2026

PUBLISHED

Description

Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveAsset GraphQL mutation validates the initial URL hostname and resolved IP against a blocklist, but Guzzle follows HTTP redirects by default. An attacker can bypass all SSRF protections by hosting a redirect that points to cloud metadata endpoints or any internal IP addresses. This issue is patched in versions 4.16.18 and 5.8.22.

VendorProductVersions

craftcms

cms

affected
>= 5.0.0-RC1, < 5.8.22
affected
>= 4.0.0-RC1, < 4.16.18

Weaknesses (CWE)

CWE-918

References

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now