CVE-2026-25494
Last modified
CVE-2026-25494 is a medium-severity vulnerability rated 6.9/10 on the CVSS scale. Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveAsset GraphQL mutation uses filter_var(..., FILTER_VALIDATE_IP) to block a specific list of IP addresses. EPSS estimates a 0.36% chance of exploitation in the next 30 days.
Description
Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveAsset GraphQL mutation uses filter_var(..., FILTER_VALIDATE_IP) to block a specific list of IP addresses. However, alternative IP notations (hexadecimal, mixed) are not recognized by this function, allowing attackers to bypass the blocklist and access cloud metadata services. This issue is patched in versions 4.16.18 and 5.8.22.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Weakness Enumeration
Affected Software
| Vendor | Product | Versions | Update |
|---|---|---|---|
| Craftcms | Craft Cms | > 4.0.0, < 4.16.18 | — |
| Craftcms | Craft Cms | > 5.0.0, < 5.8.22 | — |
| Craftcms | Craft Cms | 4.0.0 | — |
| Craftcms | Craft Cms | 5.0.0 | Rc1 |
References
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-25494?
How severe is CVE-2026-25494?
How do I fix CVE-2026-25494?
Are you affected by CVE-2026-25494?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST