Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
Craft CMS Server-Side Request Forgery (SSRF) Vulnerability - CVE-2026-25494 - Vulnerability Database
Craft CMS

Craft CMS Server-Side Request Forgery (SSRF) Vulnerability - CVE-2026-25494

Medium
Reference: CVE-2026-25494
NVD Link: https://nvd.nist.gov/vuln/detail/CVE-2026-25494
Title: Craft CMS Server-Side Request Forgery (SSRF) Vulnerability
Overview:

Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21 the saveAsset GraphQL mutation uses filter_var(... FILTER_VALIDATE_IP) to block a specific list of IP addresses. However alternative IP notations (hexadecimal mixed) are not recognized by this function allowing attackers to bypass the blocklist and access cloud metadata services. This issue is patched in versions 4.16.18 and 5.8.22.