CVE-2026-25494

Medium CVSS: 6.9

Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveAsset GraphQL mutation uses filter_var(..., FILTER_VALIDATE_IP) to block a specific list of IP addresses. However, alternative IP notations (hexadecimal, mixed) are not recognized by this function, allowing attackers to bypass the blocklist and access cloud metadata services. This issue is patched in versions 4.16.18 and 5.8.22.

Vendor

Craftcms

Product

Craft Cms

CWE

CWE-918

Yayın Tarihi

2026-02-09 20:15:57

Güncelleme

2026-02-19 19:17:44

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-918 Craft Cms MEDIUM Craftcms 2026

Referanslar

https://github.com/craftcms/cms/commit/d49e93e5ba0c48939ce5eaa6cd9b4a990542d8b2 https://github.com/craftcms/cms/releases/tag/5.8.22 https://github.com/craftcms/cms/security/advisories/GHSA-m5r2-8p9x-hp5m

Benzer Kayıtlar

Low

CVE-2026-33160

Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-R…

Low

CVE-2026-33161

Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-R…

Medium

CVE-2026-33162

Craft CMS is a content management system (CMS). From version 5.3.0 to before version 5.9.14, an authenticated control pa…

High

CVE-2026-33157

Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.13, a Remote Code Execution (RC…

Medium

CVE-2026-33158

Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-R…

Medium

CVE-2026-33159

Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-R…