Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
Craft CMS Server-Side Request Forgery (SSRF) Vulnerability - CVE-2026-27129 - Vulnerability Database
Craft CMS

Craft CMS Server-Side Request Forgery (SSRF) Vulnerability - CVE-2026-27129

Medium
Reference: CVE-2026-27129
NVD Link: https://nvd.nist.gov/vuln/detail/CVE-2026-27129
Title: Craft CMS Server-Side Request Forgery (SSRF) Vulnerability
Overview:

Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22 the SSRF validation in Craft CMSs GraphQL Asset mutation uses gethostbyname() which only resolves IPv4 addresses. When a hostname has only AAAA (IPv6) records the function returns the hostname string itself causing the blocklist comparison to always fail and completely bypassing SSRF protection. This is a bypass of the security fix for CVE-2025-68437. Exploitation requires GraphQL schema permissions for editing assets in the ltVolumeNamegt volume and creating assets in the ltVolumeNamegt volume. These permissions may be granted to authenticated users with appropriate GraphQL schema access and/or Public Schema (if misconfigured with write permissions). Versions 4.16.19 and 5.8.23 patch the issue.