What is the CVSS score of CVE-2026-25492?

CVE-2026-25492 has a CVSS 3.1 base score of 6.5 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. EPSS exploitation probability: 0.0%.

Which versions of AWS are affected by CVE-2026-25492?

Organizations using Craft should be aware of notable risk from CVE-2026-25492, a server-side request forgery vulnerability rated CVSS 6.5. Users could be tricked into performing unintended actions.. A patch is available.

Is there a public PoC exploit available for CVE-2026-25492?

Yes, a public proof-of-concept exploit is available for CVE-2026-25492. Prioritise patching immediately. EPSS: 0.0%.

AWS CVE-2026-25492

MEDIUM

Server-Side Request Forgery (SSRF) (CWE-918)

2026-02-09 security-advisories@github.com

GHSA-96pq-hxpw-rgh8

AWS Craft Cms

6.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

PoC Detected

Feb 19, 2026 - 19:12 vuln.today

Public exploit code

Patch released

Feb 19, 2026 - 19:12 nvd

Patch available

CVE Published

Feb 09, 2026 - 20:15 nvd

MEDIUM 6.5

DescriptionNVD

Craft CMS is a content management system. In Craft versions 3.5.0 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the save_images_Asset GraphQL mutation can be abused to fetch internal URLs by providing a domain name that resolves to an internal IP address, bypassing hostname validation. When a non-image file extension such as .txt is allowed, downstream image validation is bypassed, which can allow an authenticated attacker with permission to use save_images_Asset to retrieve sensitive data such as AWS instance metadata credentials from the underlying host. This issue is patched in versions 4.16.18 and 5.8.22.

AnalysisAI

Craft CMS versions 3.5.0-4.16.17 and 5.0.0-RC1-5.8.21 contain a server-side request forgery vulnerability in the save_images_Asset GraphQL mutation that allows authenticated users to bypass hostname validation and retrieve internal URLs by specifying domains resolving to private IP addresses. By uploading files with non-image extensions like .txt, attackers can bypass downstream validation to access sensitive data including AWS instance metadata credentials from the host system. …

RemediationAI

Within 30 days: Identify affected systems running Craft and apply vendor patches as part of regular patch cycle. Vendor patch is available.

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-25492 vulnerability details – vuln.today

Back

AWS CVE-2026-25492

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code