PT-2026-34220 · Craft Cms · Craft Cms
Published
2026-04-14
·
Updated
2026-04-25
·
CVE-2026-41129
CVSS v4.0
7.0
High
| Vector | AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Craft CMS versions 4.x through 4.17.8
Craft CMS versions 5.x through 5.9.14
Description
Craft CMS is a content management system (CMS) subject to Server-Side Request Forgery (SSRF), a flaw where an attacker can induce the server-side application to make requests to an unintended location. Exploitation requires specific permissions to be enabled within the GraphQL schema, specifically "Edit assets in the
<VolumeName> volume" and "Create assets in the <VolumeName> volume."Recommendations
Update versions 4.x through 4.17.8 to version 4.17.9.
Update versions 5.x through 5.9.14 to version 5.9.15.
Fix
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Craft Cms