CVE-2026-55791
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Summary
Craft CMS is a content management system (CMS). Versions 4.0.0-RC1 and above, prior to 4.18.0 and 5.0.0-RC1, and above, prior to 5.10.0, are vulnerable to Server-Side Request Forgery (SSRF) and Arbitrary JavaScript Injection through the /actions/app/resource-js endpoint. By exploiting the default permissive trustedHosts configuration, an attacker can poison the Host or X-Forwarded-Host header to manipulate the application’s $baseUrl. This bypasses the endpoint’s internal URL validation, forcing the backend Guzzle client to fetch a malicious payload from an attacker-controlled server and reflect it to the client with a Content-Type: application/javascript header. The vulnerability manifests when assetManager.cacheSourcePaths is set to false. This issue has been fixed in versions 4.18.0 and 5.10.0.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| craftcms | cms | >= 5.0.0-RC1, < 5.10.0 | affected |
| craftcms | cms | >= 4.0.0-RC1, < 4.18.0 | affected |
Weaknesses
- CWE-918: CWE-918: Server-Side Request Forgery (SSRF)
- CWE-644: CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax
- CWE-79: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
- https://github.com/craftcms/cms/security/advisories/GHSA-c55v-343g-5xff
- https://github.com/craftcms/cms/pull/18559
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.