Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-ppet-ruae-1kav
Summary
Craft CMS Vulnerable to SSRF in GraphQL Asset Mutation via HTTP Redirect
The `saveAsset` GraphQL mutation validates the initial URL hostname and resolved IP against a blocklist, but Guzzle follows HTTP redirects by default. An attacker can bypass all SSRF protections by hosting a redirect that points to cloud metadata endpoints or any internal IP addresses.

---
Aliases
0
alias CVE-2026-25493
1
alias GHSA-8jr8-7hr4-vhfx
Fixed_packages
0
url pkg:composer/craftcms/cms@4.16.18
purl pkg:composer/craftcms/cms@4.16.18
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.18
1
url pkg:composer/craftcms/cms@5.8.22
purl pkg:composer/craftcms/cms@5.8.22
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.22
Affected_packages
0
url pkg:composer/craftcms/cms@4.0.0-RC1
purl pkg:composer/craftcms/cms@4.0.0-RC1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1468-4fdx-kbfr
1
vulnerability VCID-1mb5-28xp-ckd2
2
vulnerability VCID-2vn9-2cs3-vbg3
3
vulnerability VCID-7y4f-ef7t-47eb
4
vulnerability VCID-8u2j-17a4-q7eh
5
vulnerability VCID-9enr-b6zd-mbh8
6
vulnerability VCID-akrv-yqnf-1kg8
7
vulnerability VCID-azr5-12f8-hfbm
8
vulnerability VCID-cys8-jnmu-77ec
9
vulnerability VCID-ec34-nvn3-qbcb
10
vulnerability VCID-f7gc-cgka-tycr
11
vulnerability VCID-hyct-5gap-7kdu
12
vulnerability VCID-jeyh-3jxd-z3g6
13
vulnerability VCID-jhen-vhqx-n7dr
14
vulnerability VCID-jxz8-g6fq-dubw
15
vulnerability VCID-kbrc-85av-nfcn
16
vulnerability VCID-m5rf-usae-yfb7
17
vulnerability VCID-ppet-ruae-1kav
18
vulnerability VCID-qwmy-d2e8-5khw
19
vulnerability VCID-qywv-vf4r-8bh9
20
vulnerability VCID-twuy-wzb7-k7g3
21
vulnerability VCID-vasz-rnn1-67ev
22
vulnerability VCID-w9yn-1573-hyau
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.0.0-RC1
1
url pkg:composer/craftcms/cms@5.0.0-RC1
purl pkg:composer/craftcms/cms@5.0.0-RC1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1468-4fdx-kbfr
1
vulnerability VCID-1mb5-28xp-ckd2
2
vulnerability VCID-39ct-cg7w-kyb6
3
vulnerability VCID-4wkr-jx1w-77hn
4
vulnerability VCID-5mnd-qvaq-k3am
5
vulnerability VCID-5q5g-jrxm-eyhe
6
vulnerability VCID-7y4f-ef7t-47eb
7
vulnerability VCID-8u2j-17a4-q7eh
8
vulnerability VCID-9enr-b6zd-mbh8
9
vulnerability VCID-a3b5-pwyh-yugv
10
vulnerability VCID-akrv-yqnf-1kg8
11
vulnerability VCID-azr5-12f8-hfbm
12
vulnerability VCID-cys8-jnmu-77ec
13
vulnerability VCID-esma-wxje-eqh3
14
vulnerability VCID-fpea-e48p-kfbn
15
vulnerability VCID-hkp9-3hzv-quhk
16
vulnerability VCID-hyct-5gap-7kdu
17
vulnerability VCID-jeyh-3jxd-z3g6
18
vulnerability VCID-jxz8-g6fq-dubw
19
vulnerability VCID-kbrc-85av-nfcn
20
vulnerability VCID-m5rf-usae-yfb7
21
vulnerability VCID-pgm4-svq8-tfc5
22
vulnerability VCID-ppet-ruae-1kav
23
vulnerability VCID-qywv-vf4r-8bh9
24
vulnerability VCID-rb7c-3nkc-gkeg
25
vulnerability VCID-twuy-wzb7-k7g3
26
vulnerability VCID-vasz-rnn1-67ev
27
vulnerability VCID-vvhc-rnpr-ubey
28
vulnerability VCID-w9yn-1573-hyau
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.0.0-RC1
References
0
reference_url https://github.com/craftcms/cms
reference_id
reference_type
scores
url https://github.com/craftcms/cms
1
reference_url https://github.com/craftcms/cms/commit/0974055634af68998f67850ab2045d8aaa19fa98
reference_id
reference_type
scores
url https://github.com/craftcms/cms/commit/0974055634af68998f67850ab2045d8aaa19fa98
2
reference_url https://github.com/craftcms/cms/releases/tag/4.16.18
reference_id
reference_type
scores
url https://github.com/craftcms/cms/releases/tag/4.16.18
3
reference_url https://github.com/craftcms/cms/releases/tag/5.8.22
reference_id
reference_type
scores
url https://github.com/craftcms/cms/releases/tag/5.8.22
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-25493
reference_id CVE-2026-25493
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2026-25493
5
reference_url https://github.com/advisories/GHSA-8jr8-7hr4-vhfx
reference_id GHSA-8jr8-7hr4-vhfx
reference_type
scores
url https://github.com/advisories/GHSA-8jr8-7hr4-vhfx
6
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-8jr8-7hr4-vhfx
reference_id GHSA-8jr8-7hr4-vhfx
reference_type
scores
url https://github.com/craftcms/cms/security/advisories/GHSA-8jr8-7hr4-vhfx
Weaknesses
0
cwe_id 918
name Server-Side Request Forgery (SSRF)
description The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
1
cwe_id 937
name OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.
2
cwe_id 1035
name OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.
Exploits
Severity_range_scorenull
Exploitabilitynull
Weighted_severitynull
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-ppet-ruae-1kav