The Blocklist That Forgot About Time

The Blocklist That Forgot About Time CVE-2026-27127 dropped for Craft CMS today. High severity, SSRF via DNS rebinding. Standard advisory language, easy to skim past. But there's a detail buried in the patch notes that stopped me: this CVE is a bypass of CVE-2025-68437. That's a previous SSRF fix in the same codebase. They patched SSRF last year. The patch shipped. The pentesters signed off. And someone just walked straight through it. That's not a bug. That's a category error that survived a security review. What Actually Happened The original fix added an IP blocklist. Before making any outbound HTTP request, Craft resolves the target hostname and checks the IP against a deny list: AWS metadata (169.254.169.254), GCP, Azure, RFC 1918 ranges, loopback, the usual. If the IP is on the list, the request is blocked. Reasonable. Standard practice. Wrong. Here's the vulnerable logic, reconstructed from the advisory: // Validation: DNS lookup #1 $ip = gethostbyname ( $hostname ); if ( in_arr

The Blocklist That Forgot About Time

Related Articles

The Outbox Pattern: A Consistent Approach to Distributed Transactions

6o6 v1.1: Faster 6502-on-6502 virtualization for a C64/Apple II Apple-1 emulator

ChemBERTa-2: Towards Chemical Foundation Models

Test title

Legacy PC design misery

Related Articles

News
The Outbox Pattern: A Consistent Approach to Distributed Transactions
Medium Programming • 2d ago

News
6o6 v1.1: Faster 6502-on-6502 virtualization for a C64/Apple II Apple-1 emulator
Lobsters • 2d ago

News
ChemBERTa-2: Towards Chemical Foundation Models
Dev.to • 2d ago

News
Test title
Dev.to Tutorial • 2d ago

News
Legacy PC design misery
Lobsters • 2d ago