🔐 CVE Alert

CVE-2026-55791

UNKNOWN 0.0

Craft CMS: Blind SSRF and Arbitrary JavaScript Injection via Host Header Poisoning in actionResourceJs

CVSS Score
0.0
EPSS Score
0.3%
EPSS Percentile
25th

Craft CMS is a content management system (CMS). Versions 4.0.0-RC1 and above, prior to 4.18.0 and 5.0.0-RC1, and above, prior to 5.10.0, are vulnerable to Server-Side Request Forgery (SSRF) and Arbitrary JavaScript Injection through the /actions/app/resource-js endpoint. By exploiting the default permissive trustedHosts configuration, an attacker can poison the Host or X-Forwarded-Host header to manipulate the application’s $baseUrl. This bypasses the endpoint’s internal URL validation, forcing the backend Guzzle client to fetch a malicious payload from an attacker-controlled server and reflect it to the client with a Content-Type: application/javascript header. The vulnerability manifests when assetManager.cacheSourcePaths is set to false. This issue has been fixed in versions 4.18.0 and 5.10.0.

CWE CWE-918 CWE-644 CWE-79
Vendor craftcms
Product cms
Published Jul 1, 2026
Last Updated Jul 2, 2026
Stay Ahead of the Next One

Get instant alerts for craftcms cms

Be the first to know when new unknown vulnerabilities affecting craftcms cms are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

craftcms / cms
>= 5.0.0-RC1, < 5.10.0 >= 4.0.0-RC1, < 4.18.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗
github.com: https://github.com/craftcms/cms/security/advisories/GHSA-c55v-343g-5xff github.com: https://github.com/craftcms/cms/pull/18559