EXECUTIVE SUMMARY:
CVE-2026-55791 with a CVSS score of 9.2 is a critical vulnerability in Craft CMS, specifically in versions 5.0.0-RC1 to 5.10 and 4.0.0-RC1 to 4.18, which allows for blind Server-Side Request Forgery (SSRF) and Arbitrary JavaScript Injection via Host Header Poisoning in the actionResourceJs endpoint. This vulnerability occurs when an attacker manipulates the Host or X-Forwarded-Host header to bypass internal URL validation, forcing the backend Guzzle client to fetch a malicious payload from an attacker-controlled server and reflect it to the client with a Content-Type: application/javascript header. An attacker can exploit this vulnerability by sending a poisoned request to the affected Craft CMS instance, which requires access to the actionResourceJs endpoint, and gains the capability to execute arbitrary JavaScript code on the client-side, potentially leading to Web Cache Poisoning, Stored XSS, and 1-Click Remote Code Execution (RCE) via Session Riding. The business impact of this vulnerability is severe, as it can lead to unauthorized access, data breaches, and complete system compromise, particularly if the Craft CMS instance is behind a caching layer, and prerequisites for exploitation include the default permissive trustedHosts configuration and the assetManager.cacheSourcePaths setting being set to false.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-55791 with a CVSS score of 9.2 is a critical vulnerability in Craft CMS, specifically in versions 5.0.0-RC1 to 5.10 and 4.0.0-RC1 to 4.18, which allows for blind Server-Side Request Forgery (SSRF) and Arbitrary JavaScript Injection via Host Header Poisoning in the actionResourceJs endpoint. This vulnerability occurs when an attacker manipulates the Host or X-Forwarded-Host header to bypass internal URL validation, forcing the backend Guzzle client to fetch a malicious payload from an attacker-controlled server and reflect it to the client with a Content-Type: application/javascript header. An attacker can exploit this vulnerability by sending a poisoned request to the affected Craft CMS instance, which requires access to the actionResourceJs endpoint, and gains the capability to execute arbitrary JavaScript code on the client-side, potentially leading to Web Cache Poisoning, Stored XSS, and 1-Click Remote Code Execution (RCE) via Session Riding. The business impact of this vulnerability is severe, as it can lead to unauthorized access, data breaches, and complete system compromise, particularly if the Craft CMS instance is behind a caching layer, and prerequisites for exploitation include the default permissive trustedHosts configuration and the assetManager.cacheSourcePaths setting being set to false.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update Craft CMS to version 5.10 or 4.18.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-c55v-343g-5xff