Skip to main content

Craft CMS CVE-2026-55791

MEDIUM
Origin Validation Error (CWE-346)
2026-06-19 https://github.com/craftcms/cms GHSA-c55v-343g-5xff
6.9
CVSS 4.0 · Vendor: https://github.com/craftcms/cms
Share

Severity by source

Vendor (https://github.com/craftcms/cms) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.3 HIGH

Network-reachable and unauthenticated (AV:N/PR:N) but requires non-default cacheSourcePaths=false plus a shared cache and admin login (AC:H/UI:R); attacker JS executes in admin's browser crossing trust boundaries (S:C) enabling RCE.

3.1 AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/craftcms/cms).

CVSS VectorVendor: https://github.com/craftcms/cms

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
CVSS changed
Jul 02, 2026 - 00:22 NVD
6.9 (MEDIUM)
Source Code Evidence Fetched
Jun 19, 2026 - 23:32 vuln.today
Analysis Generated
Jun 19, 2026 - 23:32 vuln.today

DescriptionCVE.org

1. Overview

Craft CMS is vulnerable to Server-Side Request Forgery (SSRF) and Arbitrary JavaScript Injection through the /actions/app/resource-js endpoint. By exploiting the default permissive trustedHosts configuration, an attacker can poison the Host or X-Forwarded-Host header to manipulate the application’s $baseUrl. This bypasses the endpoint’s internal URL validation, forcing the backend Guzzle client to fetch a malicious payload from an attacker-controlled server and reflect it to the client with a Content-Type: application/javascript header.

2. Vulnerability Mechanism (Root Cause) The vulnerability manifests when assetManager.cacheSourcePaths is set to false. The attack chain relies on three structural flaws and insecure defaults:

  • A. Default Proxy Trust (trustedHosts): Craft’s default GeneralConfig::$trustedHosts is set to ['any']. This allows an attacker to bypass front-end web server (Nginx/Apache) strict Host header validations by simply injecting an X-Forwarded-Host header. Yii2 will parse this and globally set $baseUrl to the attacker's domain.
  • B. Insecure HTTP Client (actionResourceJs): In AppController::actionResourceJs(), the str_starts_with($url, $baseUrl) validation is bypassed because $baseUrl is already poisoned by the attacker. The core then uses Craft::createGuzzleClient()->get($url). Unlike the GraphQL Asset fetcher, this Guzzle instance defaults to ALLOW_REDIRECTS => true.
  • C. Forced JS Content-Type: The response fetched from the attacker's server is blindly returned to the user via $this->asRaw() with the header Content-Type: application/javascript.

3. Attack Scenario & Impact (Proof of Exploitability) This endpoint acts as a proxy, taking remote, unverified content and serving it as valid JavaScript. While the direct SSRF allows for internal network probing, the most devastating impact occurs when caching layers are involved.

If the Craft CMS instance is behind a caching layer, this vulnerability leads directly to Web Cache Poisoning:

  1. An unauthenticated attacker sends the poisoned request.
  2. The caching layer caches the malicious JavaScript response for the legitimate /actions/app/resource-js URI.
  3. When an authenticated Administrator logs into the Control Panel, their browser loads the poisoned cached JavaScript (Stored XSS).
  4. The malicious script extracts window.Craft.csrfTokenValue and silently sends a POST request to /admin/actions/plugins/install-plugin, achieving 1-Click Remote Code Execution (RCE) via Session Riding.

AnalysisAI

Server-Side Request Forgery and arbitrary JavaScript injection in Craft CMS 4.x (before 4.18) and 5.x (before 5.10) allow remote unauthenticated attackers to poison the Host or X-Forwarded-Host header against the /actions/app/resource-js endpoint, forcing the backend Guzzle client to proxy attacker-controlled content as application/javascript. When the instance sits behind a caching layer, this chains into web cache poisoning, stored XSS in the Control Panel, and 1-click RCE via session-riding the plugin install action. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify Craft CMS behind shared cache
Delivery
Send /actions/app/resource-js request with X-Forwarded-Host poisoning
Exploit
Yii2 rewrites $baseUrl, validation bypassed
Install
Guzzle fetches attacker JS, returned as application/javascript
C2
Cache layer stores poisoned response for legitimate URI
Execute
Admin loads Control Panel, browser executes JS
Impact
Steal CSRF token, POST install-plugin for RCE

Vulnerability AssessmentAI

Exploitation Requires three concrete conditions to reach maximum impact: (1) the target Craft 4.x/5.x instance must have assetManager.cacheSourcePaths set to false (the vulnerable Guzzle-fetch branch is gated on this); (2) trustedHosts must remain at its default value of ['any'], or include the attacker-controllable hostname, so Yii2 accepts X-Forwarded-Host header poisoning; (3) for the cache-poisoning → admin XSS → 1-click RCE chain, the site must sit behind a shared HTTP caching layer (Varnish/Fastly/Cloudflare/Nginx fastcgi_cache) AND an authenticated administrator must subsequently visit the Control Panel. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS vector or EPSS score was provided in the input, and the issue is not on the CISA KEV list - exploitation status is therefore 'no public exploit identified at time of analysis,' despite a fully documented vendor advisory describing the attack chain. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends a request to /actions/app/resource-js with X-Forwarded-Host: attacker.tld and a url parameter pointing at attacker.tld; Yii2 trusts the header due to trustedHosts='any', $baseUrl is rewritten, the validation passes, and Guzzle (with redirects enabled) fetches attacker-controlled JavaScript and returns it with Content-Type: application/javascript. If the site sits behind a shared cache, the poisoned response is cached for the legitimate URI, so when an administrator next loads the Control Panel their browser executes the attacker's JS, which reads window.Craft.csrfTokenValue and POSTs to /admin/actions/plugins/install-plugin for RCE. …
Remediation Vendor-released patch: upgrade to Craft CMS 5.10 (5.x branch) or 4.18 (4.x branch), which remove actionResourceJs() entirely and instead load cross-domain script tags directly in the browser rather than via a server-side proxy (see PR https://github.com/craftcms/cms/pull/18559 and advisory https://github.com/craftcms/cms/security/advisories/GHSA-c55v-343g-5xff). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Craft CMS deployments and verify versions (4.x before 4.18, 5.x before 5.10); confirm if a caching layer exists in front of the application. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Nginx

View all
CVE-2013-2028 HIGH POC
7.5 Jul 20

The ngx_http_parse_chunked function in http/ngx_http_parse.c in nginx 1.3.9 through 1.4.0 allows remote attackers to cau

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2013-4547 HIGH POC
7.5 Nov 23

nginx 0.8.41 through 1.4.3 and 1.5.x before 1.5.7 allows remote attackers to bypass intended restrictions via an unescap

CVE-2023-50919 CRITICAL POC
9.8 Jan 12

An issue was discovered on GL.iNet devices before version 4.5.0. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2017-7529 HIGH
7.5 Jul 13

Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range fi

CVE-2016-0742 HIGH
7.5 Feb 15

The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 allows remote attackers to cause a denial of service (invalid

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2022-31137 CRITICAL POC
9.8 Jul 08

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Rated critical severity (CVSS 9.8

CVE-2014-3556 MEDIUM
6.8 Dec 29

The STARTTLS implementation in mail/ngx_mail_smtp_handler.c in the SMTP proxy in nginx 1.5.x and 1.6.x before 1.6.1 and

CVE-2026-42945 CRITICAL POC
9.2 May 13

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows remote attackers to crash worker

Share

CVE-2026-55791 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy