SCA: security update for craftcms/cms (GHSA-x27p-wfqw-hfcc)

medium Tenable Self-Hosted Container Security Plugin ID 436564

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1
through 4.16.16, the Craft CMS GraphQL `save_<VolumeName>_Asset` mutation is vulnerable to Server-Side
Request Forgery (SSRF). This vulnerability arises because the `_file` input, specifically its `url`
parameter, allows the server to fetch content from arbitrary remote locations without proper validation.
Attackers can exploit this by providing internal IP addresses or cloud metadata endpoints as the `url`,
forcing the server to make requests to these restricted services. The fetched content is then saved as an
asset, which can subsequently be accessed and exfiltrated, leading to potential data exposure and
infrastructure compromise. This exploitation requires specific GraphQL permissions for asset management
within the targeted volume. Users should update to the patched 5.8.21 and 4.16.17 releases to mitigate the
issue. (CVE-2025-68437)

See Also

https://github.com/advisories/GHSA-x27p-wfqw-hfcc

Plugin Details

Severity: Medium

ID: 436564

Version: Revision 1.11

Type: Local

Family: SCA Checks

Published: 1/5/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5.3

Percentile: 96.43

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 4.8

Vector: CVSS2#AV:N/AC:L/Au:M/C:C/I:N/A:N

CVSS Score Source: CVE-2025-68437

CVSS v3

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 6.1

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 5.9

Threat Score: 5

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 1/5/2026

Vulnerability Publication Date: 1/5/2026

Reference Information

CVE: CVE-2025-68437

cwe: CWE-918