Server-Side Request Forgery and JavaScript Injection in Craft CMS 4.x and 5.x
CVE-2026-55791
What is CVE-2026-55791?
Craft CMS contains a vulnerability that allows for Server-Side Request Forgery (SSRF) and arbitrary JavaScript injection via the /actions/app/resource-js endpoint. This issue arises from the default permissive trustedHosts configuration, which enables attackers to manipulate the application’s $baseUrl by poisoning the Host or X-Forwarded-Host header. Consequently, it bypasses internal URL validation, leading the backend Guzzle client to fetch malicious payloads from attacker-controlled servers and reflect them to the client. This vulnerability affects versions 4.0.0-RC1 through 4.18.0 and 5.0.0-RC1 through 5.10.0 specifically when assetManager.cacheSourcePaths is set to false. Updates in version 4.18.0 and 5.10.0 address this issue.
Affected Version(s)
cms >= 5.0.0-RC1, < 5.10.0 < 5.0.0-RC1, 5.10.0
cms >= 4.0.0-RC1, < 4.18.0 < 4.0.0-RC1, 4.18.0
