Craft CMS CVE-2026-55791
MEDIUMSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable and unauthenticated (AV:N/PR:N) but requires non-default cacheSourcePaths=false plus a shared cache and admin login (AC:H/UI:R); attacker JS executes in admin's browser crossing trust boundaries (S:C) enabling RCE.
Primary rating from Vendor (https://github.com/craftcms/cms).
CVSS VectorVendor: https://github.com/craftcms/cms
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
1. Overview
Craft CMS is vulnerable to Server-Side Request Forgery (SSRF) and Arbitrary JavaScript Injection through the /actions/app/resource-js endpoint. By exploiting the default permissive trustedHosts configuration, an attacker can poison the Host or X-Forwarded-Host header to manipulate the application’s $baseUrl. This bypasses the endpoint’s internal URL validation, forcing the backend Guzzle client to fetch a malicious payload from an attacker-controlled server and reflect it to the client with a Content-Type: application/javascript header.
2. Vulnerability Mechanism (Root Cause) The vulnerability manifests when assetManager.cacheSourcePaths is set to false. The attack chain relies on three structural flaws and insecure defaults:
- A. Default Proxy Trust (
trustedHosts): Craft’s defaultGeneralConfig::$trustedHostsis set to['any']. This allows an attacker to bypass front-end web server (Nginx/Apache) strictHostheader validations by simply injecting anX-Forwarded-Hostheader. Yii2 will parse this and globally set$baseUrlto the attacker's domain. - B. Insecure HTTP Client (
actionResourceJs): InAppController::actionResourceJs(), thestr_starts_with($url, $baseUrl)validation is bypassed because$baseUrlis already poisoned by the attacker. The core then usesCraft::createGuzzleClient()->get($url). Unlike the GraphQL Asset fetcher, this Guzzle instance defaults toALLOW_REDIRECTS => true. - C. Forced JS Content-Type: The response fetched from the attacker's server is blindly returned to the user via
$this->asRaw()with the headerContent-Type: application/javascript.
3. Attack Scenario & Impact (Proof of Exploitability) This endpoint acts as a proxy, taking remote, unverified content and serving it as valid JavaScript. While the direct SSRF allows for internal network probing, the most devastating impact occurs when caching layers are involved.
If the Craft CMS instance is behind a caching layer, this vulnerability leads directly to Web Cache Poisoning:
- An unauthenticated attacker sends the poisoned request.
- The caching layer caches the malicious JavaScript response for the legitimate
/actions/app/resource-jsURI. - When an authenticated Administrator logs into the Control Panel, their browser loads the poisoned cached JavaScript (Stored XSS).
- The malicious script extracts
window.Craft.csrfTokenValueand silently sends a POST request to/admin/actions/plugins/install-plugin, achieving 1-Click Remote Code Execution (RCE) via Session Riding.
Articles & Coverage 1
AnalysisAI
Server-Side Request Forgery and arbitrary JavaScript injection in Craft CMS 4.x (before 4.18) and 5.x (before 5.10) allow remote unauthenticated attackers to poison the Host or X-Forwarded-Host header against the /actions/app/resource-js endpoint, forcing the backend Guzzle client to proxy attacker-controlled content as application/javascript. When the instance sits behind a caching layer, this chains into web cache poisoning, stored XSS in the Control Panel, and 1-click RCE via session-riding the plugin install action. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires three concrete conditions to reach maximum impact: (1) the target Craft 4.x/5.x instance must have assetManager.cacheSourcePaths set to false (the vulnerable Guzzle-fetch branch is gated on this); (2) trustedHosts must remain at its default value of ['any'], or include the attacker-controllable hostname, so Yii2 accepts X-Forwarded-Host header poisoning; (3) for the cache-poisoning → admin XSS → 1-click RCE chain, the site must sit behind a shared HTTP caching layer (Varnish/Fastly/Cloudflare/Nginx fastcgi_cache) AND an authenticated administrator must subsequently visit the Control Panel. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No CVSS vector or EPSS score was provided in the input, and the issue is not on the CISA KEV list - exploitation status is therefore 'no public exploit identified at time of analysis,' despite a fully documented vendor advisory describing the attack chain. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker sends a request to /actions/app/resource-js with X-Forwarded-Host: attacker.tld and a url parameter pointing at attacker.tld; Yii2 trusts the header due to trustedHosts='any', $baseUrl is rewritten, the validation passes, and Guzzle (with redirects enabled) fetches attacker-controlled JavaScript and returns it with Content-Type: application/javascript. If the site sits behind a shared cache, the poisoned response is cached for the legitimate URI, so when an administrator next loads the Control Panel their browser executes the attacker's JS, which reads window.Craft.csrfTokenValue and POSTs to /admin/actions/plugins/install-plugin for RCE. … |
| Remediation | Vendor-released patch: upgrade to Craft CMS 5.10 (5.x branch) or 4.18 (4.x branch), which remove actionResourceJs() entirely and instead load cross-domain script tags directly in the browser rather than via a server-side proxy (see PR https://github.com/craftcms/cms/pull/18559 and advisory https://github.com/craftcms/cms/security/advisories/GHSA-c55v-343g-5xff). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Craft CMS deployments and verify versions (4.x before 4.18, 5.x before 5.10); confirm if a caching layer exists in front of the application. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
The ngx_http_parse_chunked function in http/ngx_http_parse.c in nginx 1.3.9 through 1.4.0 allows remote attackers to cau
A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access
nginx 0.8.41 through 1.4.3 and 1.5.x before 1.5.7 allows remote attackers to bypass intended restrictions via an unescap
An issue was discovered on GL.iNet devices before version 4.5.0. Rated critical severity (CVSS 9.8), this vulnerability
Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range fi
The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 allows remote attackers to cause a denial of service (invalid
Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Rated critical severity (CVSS 9.8
The STARTTLS implementation in mail/ngx_mail_smtp_handler.c in the SMTP proxy in nginx 1.5.x and 1.6.x before 1.6.1 and
Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows remote attackers to crash worker
Same weakness CWE-346 – Origin Validation Error
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-c55v-343g-5xff