Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-55791— Craft CMS: Blind SSRF and Arbitrary JavaScript Injection via Host Header Poisoning in actionResourceJs

AI Predicted 8.5 Difficulty: Easy
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-55791

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Craft CMS: Blind SSRF and Arbitrary JavaScript Injection via Host Header Poisoning in actionResourceJs
Source: NVD (National Vulnerability Database)
Vulnerability Description
Craft CMS is a content management system (CMS). Versions 4.0.0-RC1 and above, prior to 4.18.0 and 5.0.0-RC1, and above, prior to 5.10.0, are vulnerable to Server-Side Request Forgery (SSRF) and Arbitrary JavaScript Injection through the /actions/app/resource-js endpoint. By exploiting the default permissive trustedHosts configuration, an attacker can poison the Host or X-Forwarded-Host header to manipulate the application’s $baseUrl. This bypasses the endpoint’s internal URL validation, forcing the backend Guzzle client to fetch a malicious payload from an attacker-controlled server and reflect it to the client with a Content-Type: application/javascript header. The vulnerability manifests when assetManager.cacheSourcePaths is set to false. This issue has been fixed in versions 4.18.0 and 5.10.0.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
服务端请求伪造(SSRF)
Source: NVD (National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
craftcmscms >= 5.0.0-RC1, < 5.10.0 -

II. Public POCs for CVE-2026-55791

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-55791

登录查看更多情报信息。

Patches & Fixes for CVE-2026-55791 (1)

Vendor Advisories for CVE-2026-55791 (1)

Same Patch Batch · craftcms · 2026-07-01 · 9 CVEs total

CVE-2026-50284Craft CMS: Missing peer-permission check in `AssetsController::actionDeleteFolder` allows
CVE-2026-50280Craft CMS: Authorization bypass in `entries/move-to-section` via missing target-section sa
CVE-2026-50279Craft CMS: Authorship spoofing in `entries/save-entry` via pre-check/post-mutation authori
CVE-2026-50283Craft CMS: Unauthorized Deletion of Source Assets During File Replacement
CVE-2026-55793Craft CMS: Stored XSS via Structure entry title in table view
CVE-2026-55790Craft CMS: DOM XSS via GitHub issue title in CraftSupport widget
CVE-2026-55792Craft CMS: Sensitive File Disclosure / Server-Side File Read
CVE-2026-55794Craft CMS: Potential authenticated Remote Code Execution via referrer redirect

IV. Related Vulnerabilities

V. Comments for CVE-2026-55791

No comments yet


Leave a comment