Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-c55v-343g-5xff | Craft CMS: Blind SSRF and Arbitrary JavaScript Injection via Host Header Poisoning in actionResourceJs |
Thu, 02 Jul 2026 16:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 01 Jul 2026 23:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Craft CMS is a content management system (CMS). Versions 4.0.0-RC1 and above, prior to 4.18.0 and 5.0.0-RC1, and above, prior to 5.10.0, are vulnerable to Server-Side Request Forgery (SSRF) and Arbitrary JavaScript Injection through the /actions/app/resource-js endpoint. By exploiting the default permissive trustedHosts configuration, an attacker can poison the Host or X-Forwarded-Host header to manipulate the application’s $baseUrl. This bypasses the endpoint’s internal URL validation, forcing the backend Guzzle client to fetch a malicious payload from an attacker-controlled server and reflect it to the client with a Content-Type: application/javascript header. The vulnerability manifests when assetManager.cacheSourcePaths is set to false. This issue has been fixed in versions 4.18.0 and 5.10.0. | |
| Title | Craft CMS: Blind SSRF and Arbitrary JavaScript Injection via Host Header Poisoning in actionResourceJs | |
| Weaknesses | CWE-644 CWE-79 CWE-918 |
|
| References |
| |
| Metrics |
cvssV4_0
|
Subscriptions
No data.
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-02T15:54:26.284Z
Reserved: 2026-06-17T14:40:28.380Z
Link: CVE-2026-55791
Updated: 2026-07-02T14:53:52.067Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-08T01:15:16Z
Github GHSA