Server-Side Request Forgery and JavaScript Injection in Craft CMS 4.x and 5.x
CVE-2026-55791

6.9MEDIUM

Key Information:

Vendor

Craftcms

Status
Vendor
CVE Published:
1 July 2026

What is CVE-2026-55791?

Craft CMS contains a vulnerability that allows for Server-Side Request Forgery (SSRF) and arbitrary JavaScript injection via the /actions/app/resource-js endpoint. This issue arises from the default permissive trustedHosts configuration, which enables attackers to manipulate the application’s $baseUrl by poisoning the Host or X-Forwarded-Host header. Consequently, it bypasses internal URL validation, leading the backend Guzzle client to fetch malicious payloads from attacker-controlled servers and reflect them to the client. This vulnerability affects versions 4.0.0-RC1 through 4.18.0 and 5.0.0-RC1 through 5.10.0 specifically when assetManager.cacheSourcePaths is set to false. Updates in version 4.18.0 and 5.10.0 address this issue.

Affected Version(s)

cms >= 5.0.0-RC1, < 5.10.0 < 5.0.0-RC1, 5.10.0

cms >= 4.0.0-RC1, < 4.18.0 < 4.0.0-RC1, 4.18.0

References

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.