{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25493", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-02T16:31:35.823Z", "datePublished": "2026-02-09T19:36:58.713Z", "dateUpdated": "2026-02-10T16:00:35.771Z"}, "containers": {"cna": {"title": "Craft has a SSRF in GraphQL Asset Mutation via HTTP Redirect", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/craftcms/cms/security/advisories/GHSA-8jr8-7hr4-vhfx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-8jr8-7hr4-vhfx"}, {"name": "https://github.com/craftcms/cms/commit/0974055634af68998f67850ab2045d8aaa19fa98", "tags": ["x_refsource_MISC"], "url": "https://github.com/craftcms/cms/commit/0974055634af68998f67850ab2045d8aaa19fa98"}, {"name": "https://github.com/craftcms/cms/releases/tag/5.8.22", "tags": ["x_refsource_MISC"], "url": "https://github.com/craftcms/cms/releases/tag/5.8.22"}], "affected": [{"vendor": "craftcms", "product": "cms", "versions": [{"version": ">= 5.0.0-RC1, < 5.8.22", "status": "affected"}, {"version": ">= 4.0.0-RC1, < 4.16.18", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-09T19:36:58.713Z"}, "descriptions": [{"lang": "en", "value": "Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveAsset GraphQL mutation validates the initial URL hostname and resolved IP against a blocklist, but Guzzle follows HTTP redirects by default. An attacker can bypass all SSRF protections by hosting a redirect that points to cloud metadata endpoints or any internal IP addresses. This issue is patched in versions 4.16.18 and 5.8.22."}], "source": {"advisory": "GHSA-8jr8-7hr4-vhfx", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-10T15:39:50.842190Z", "id": "CVE-2026-25493", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T16:00:35.771Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25493", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-10T15:39:50.842190Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T15:39:51.551Z"}}], "cna": {"title": "Craft has a SSRF in GraphQL Asset Mutation via HTTP Redirect", "source": {"advisory": "GHSA-8jr8-7hr4-vhfx", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "craftcms", "product": "cms", "versions": [{"status": "affected", "version": ">= 5.0.0-RC1, < 5.8.22"}, {"status": "affected", "version": ">= 4.0.0-RC1, < 4.16.18"}]}], "references": [{"url": "https://github.com/craftcms/cms/security/advisories/GHSA-8jr8-7hr4-vhfx", "name": "https://github.com/craftcms/cms/security/advisories/GHSA-8jr8-7hr4-vhfx", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/craftcms/cms/commit/0974055634af68998f67850ab2045d8aaa19fa98", "name": "https://github.com/craftcms/cms/commit/0974055634af68998f67850ab2045d8aaa19fa98", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/craftcms/cms/releases/tag/5.8.22", "name": "https://github.com/craftcms/cms/releases/tag/5.8.22", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveAsset GraphQL mutation validates the initial URL hostname and resolved IP against a blocklist, but Guzzle follows HTTP redirects by default. An attacker can bypass all SSRF protections by hosting a redirect that points to cloud metadata endpoints or any internal IP addresses. This issue is patched in versions 4.16.18 and 5.8.22."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-09T19:36:58.713Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25493", "state": "PUBLISHED", "dateUpdated": "2026-02-10T16:00:35.771Z", "dateReserved": "2026-02-02T16:31:35.823Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-09T19:36:58.713Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*", "matchCriteriaId": "29EBFBEA-6CFF-49DD-BEE0-3E65E89DEA2E", "versionEndExcluding": "4.16.18", "versionStartExcluding": "4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*", "matchCriteriaId": "E1C69442-81E7-4695-B09C-E7811765D283", "versionEndExcluding": "5.8.22", "versionStartExcluding": "5.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:-:*:*:*:*:*:*", "matchCriteriaId": "610F6DE9-720F-45B3-81D5-18E7F6B090FD", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "CC2F40FC-7C27-456A-B16D-679410D1D5CF", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "FBAA8227-04F8-404C-907B-B0162B325F5A", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "21B28E2C-327A-4CE6-ACAD-97E459712A55", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:5.0.0:-:*:*:*:*:*:*", "matchCriteriaId": "1C7461CF-35AB-48E1-88B6-956DAE1D2AB4", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "8D8E02D1-601A-4E2B-B619-4775BFDB72D0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveAsset GraphQL mutation validates the initial URL hostname and resolved IP against a blocklist, but Guzzle follows HTTP redirects by default. An attacker can bypass all SSRF protections by hosting a redirect that points to cloud metadata endpoints or any internal IP addresses. This issue is patched in versions 4.16.18 and 5.8.22."}, {"lang": "es", "value": "Craft es una plataforma para crear experiencias digitales. En las versiones de Craft 4.0.0-RC1 a 4.16.17 y 5.0.0-RC1 a 5.8.21, la mutaci\u00f3n GraphQL saveAsset valida el nombre de host de la URL inicial y la IP resuelta contra una lista de bloqueo, pero Guzzle sigue las redirecciones HTTP por defecto. Un atacante puede eludir todas las protecciones SSRF al alojar una redirecci\u00f3n que apunta a puntos finales de metadatos en la nube o a cualquier direcci\u00f3n IP interna. Este problema est\u00e1 parcheado en las versiones 4.16.18 y 5.8.22."}], "id": "CVE-2026-25493", "lastModified": "2026-02-19T19:20:06.863", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-09T20:15:57.793", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/craftcms/cms/commit/0974055634af68998f67850ab2045d8aaa19fa98"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/craftcms/cms/releases/tag/5.8.22"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory", "Patch"], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-8jr8-7hr4-vhfx"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.0.0-RC1,5.8.22)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.0.0-RC1,4.16.18)"}}], "product": "craftcms", "vendor": "craftcms"}], "analysis": {"en": {"generated_at": "2026-04-17T21:16:29.462969+00:00", "value": {"mitigation_remediation": ["Upgrade Craft CMS to a patched release (4.16.18 or newer, or 5.8.22 or newer).", "Configure the Guzzle HTTP client used in asset uploads to disable automatic redirection so that the host and IP checks are enforced.", "Restrict the GraphQL Asset Mutation endpoint to only allow URLs that resolve to trusted domains or IP ranges, and block internal or cloud metadata endpoints."], "summary": {"action": "Patch", "impact": "Server Side Request Forgery via GraphQL Asset Mutation"}, "threat_synthesis": {"affected_systems": "All Craft CMS releases from 4.0.0\u2011RC1 to 4.16.17 and from 5.0.0\u2011RC1 to 5.8.21 are vulnerable. The issue is fixed in 4.16.18 and 5.8.22.", "description_and_impact": "Craft CMS allows attackers to inject a URL into the saveAsset GraphQL mutation. The application validates the target hostname and resolved IP against a blacklist, but the underlying Guzzle HTTP client follows redirects by default. An attacker can thus place a redirect that points to cloud metadata or internal IP addresses, bypassing all SSRF safeguards and enabling remote server side request forgery, data exfiltration, or privilege escalation.", "risk_and_exploitability": "The CVSS score of 6.9 indicates moderate severity, while the EPSS score below 1% shows a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers would need control over a GraphQL request to the application; once someone runs the malicious mutation, the server\u2019s HTTP client will follow the redirect and access the target internal resource."}}}}, "created": "2026-02-10T15:37:30.523059+00:00", "updated": "2026-04-17T21:30:28.381776+00:00", "vendors": ["craftcms", "craftcms$PRODUCT$craftcms"]}