Moderate severityNVD Advisory· Published Feb 9, 2026· Updated Feb 10, 2026
Craft has a SSRF in GraphQL Asset Mutation via Alternative IP Notation
CVE-2026-25494
Description
Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveAsset GraphQL mutation uses filter_var(..., FILTER_VALIDATE_IP) to block a specific list of IP addresses. However, alternative IP notations (hexadecimal, mixed) are not recognized by this function, allowing attackers to bypass the blocklist and access cloud metadata services. This issue is patched in versions 4.16.18 and 5.8.22.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
craftcms/cmsPackagist | >= 5.0.0-RC1, < 5.8.22 | 5.8.22 |
craftcms/cmsPackagist | >= 4.0.0-RC1, < 4.16.18 | 4.16.18 |
Affected products
2Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-m5r2-8p9x-hp5mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-25494ghsaADVISORY
- github.com/craftcms/cms/commit/d49e93e5ba0c48939ce5eaa6cd9b4a990542d8b2ghsax_refsource_MISCWEB
- github.com/craftcms/cms/releases/tag/4.16.18ghsaWEB
- github.com/craftcms/cms/releases/tag/5.8.22ghsax_refsource_MISCWEB
- github.com/craftcms/cms/security/advisories/GHSA-m5r2-8p9x-hp5mghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.