CVE-2026-55791
MediumCVSS 6.9Exploitation Probability (EPSS)
Low risk25th percentile — higher than 25% of all known CVEs
Summary
Craft CMS versions 4.0.0-RC1 through 4.18.0 and 5.0.0-RC1 through 5.10.0 are vulnerable to SSRF and arbitrary JavaScript injection via the /actions/app/resource-js endpoint. An attacker can poison the Host or X-Forwarded-Host header to bypass URL validation and force the Guzzle client to fetch a malicious payload from an external server.
Risk Assessment
The risk includes arbitrary JavaScript execution in the victim's browser (XSS) and the ability to use the server to scan internal networks or send requests to internal resources (SSRF).
Recommendation
Immediately update Craft CMS to version 4.18.0 or 5.10.0. Additionally, configure trustedHosts to restrict trusted hosts and enable assetManager.cacheSourcePaths.
Original NVD description (English source)
Craft CMS is a content management system (CMS). Versions 4.0.0-RC1 and above, prior to 4.18.0 and 5.0.0-RC1, and above, prior to 5.10.0, are vulnerable to Server-Side Request Forgery (SSRF) and Arbitrary JavaScript Injection through the /actions/app/resource-js endpoint. By exploiting the default permissive trustedHosts configuration, an attacker can poison the Host or X-Forwarded-Host header to manipulate the application’s $baseUrl. This bypasses the endpoint’s internal URL validation, forcing the backend Guzzle client to fetch a malicious payload from an attacker-controlled server and reflect it to the client with a Content-Type: application/javascript header. The vulnerability manifests when assetManager.cacheSourcePaths is set to false. This issue has been fixed in versions 4.18.0 and 5.10.0.

