CVE-2026-55791
Received Received - Intake

Server-Side Request Forgery in Craft CMS

Vulnerability report for CVE-2026-55791, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-02

Last updated on: 2026-07-02

Assigner: GitHub, Inc.

Description

Craft CMS is a content management system (CMS). Versions 4.0.0-RC1 and above, prior to 4.18.0 and 5.0.0-RC1, and above, prior to 5.10.0, are vulnerable to Server-Side Request Forgery (SSRF) and Arbitrary JavaScript Injection through the /actions/app/resource-js endpoint. By exploiting the default permissive trustedHosts configuration, an attacker can poison the Host or X-Forwarded-Host header to manipulate the application’s $baseUrl. This bypasses the endpoint’s internal URL validation, forcing the backend Guzzle client to fetch a malicious payload from an attacker-controlled server and reflect it to the client with a Content-Type: application/javascript header. The vulnerability manifests when assetManager.cacheSourcePaths is set to false. This issue has been fixed in versions 4.18.0 and 5.10.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-02
Last Modified
2026-07-02
Generated
2026-07-02
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
craftcms craft_cms From 4.0.0-rc1 (inc) to 4.18.0 (exc)
craftcms craft_cms From 5.0.0-rc1 (inc) to 5.10.0 (exc)
craftcms craft_cms 4.18.0
craftcms craft_cms 5.10.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
CWE-644 The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-55791 is a vulnerability in Craft CMS versions 4.0.0-RC1 to 4.17 and 5.0.0-RC1 to 5.9 that allows Server-Side Request Forgery (SSRF) and Arbitrary JavaScript Injection through the /actions/app/resource-js endpoint.

The issue arises because the default trustedHosts configuration is permissive, allowing an attacker to poison the Host or X-Forwarded-Host HTTP headers. This manipulation changes the application's base URL ($baseUrl), bypassing internal URL validation.

As a result, the backend HTTP client (Guzzle) fetches a malicious payload from an attacker-controlled server and returns it to the client with a Content-Type of application/javascript. This vulnerability manifests when the assetManager.cacheSourcePaths setting is false.

The attack involves three main flaws: permissive proxy trust enabling header injection, insecure HTTP client handling bypassing validation, and forced JavaScript content-type responses. An attacker can exploit this to perform Blind SSRF, Web Cache Poisoning, and Stored Cross-Site Scripting (XSS), potentially leading to Remote Code Execution (RCE) via session riding.

Impact Analysis

Exploiting this vulnerability can have several serious impacts:

  • Blind Server-Side Request Forgery (SSRF) allowing attackers to probe internal networks.
  • Web Cache Poisoning, where malicious JavaScript is cached and served to authenticated users.
  • Stored Cross-Site Scripting (XSS) attacks that execute malicious scripts in the context of authenticated administrators.
  • Remote Code Execution (RCE) through session riding by stealing CSRF tokens and performing unauthorized plugin installations.

Overall, this can lead to full compromise of the Craft CMS control panel and potentially the underlying server.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious requests to the `/actions/app/resource-js` endpoint that include manipulated Host or X-Forwarded-Host headers. An unauthenticated attacker may send requests with poisoned headers to trigger the SSRF and JavaScript injection.

Network or system detection can involve inspecting HTTP request logs for unusual or unexpected Host or X-Forwarded-Host header values targeting the vulnerable endpoint.

  • Use tools like tcpdump or Wireshark to capture HTTP traffic and filter for requests to `/actions/app/resource-js`.
  • Example command to search web server logs for suspicious header usage: `grep -i 'X-Forwarded-Host' /var/log/nginx/access.log | grep '/actions/app/resource-js'`
  • Use curl to manually test the endpoint with manipulated headers: `curl -H 'Host: attacker.com' -H 'X-Forwarded-Host: attacker.com' https://your-craftcms-site.com/actions/app/resource-js -v`
Mitigation Strategies

The primary mitigation is to upgrade Craft CMS to a patched version where this vulnerability is fixed: version 4.18.0 or later, or 5.10.0 or later.

Additionally, review and tighten the `trustedHosts` configuration to avoid permissive defaults that allow header poisoning.

Ensure that the `assetManager.cacheSourcePaths` setting is not set to false, as the vulnerability manifests when it is disabled.

If immediate upgrade is not possible, consider implementing network-level protections such as blocking suspicious requests to the vulnerable endpoint or filtering manipulated Host headers.

Compliance Impact

The vulnerability in Craft CMS allows an attacker to perform Server-Side Request Forgery (SSRF) and Arbitrary JavaScript Injection, which can lead to Stored Cross-Site Scripting (XSS) and potentially Remote Code Execution (RCE). This can result in unauthorized access to sensitive data or manipulation of the application.

Such unauthorized access and data manipulation could impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.

Specifically, exploitation of this vulnerability could lead to data exposure or unauthorized actions within the CMS, potentially violating data protection requirements and security controls mandated by these regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55791. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart