CVE-2026-41129
EPSS 0.04%Server-Side Request Forgery (SSRF) in Craft CMS with Asset Uploads Mutations
Description
## Required Permissions The exploitation requires a few permissions to be enabled in the used GraphQL schema: * "Edit assets in the <VolumeName> volume" * "Create assets in the <VolumeName> volume" ## Details The implementation fails to restrict the URL Scheme. While the application is intended to "upload assets", there is no whitelist forcing `http` or `https`. This allows attackers to use the Gopher protocol to wrap raw TCP commands. **Impact:** Combined with the DWORD bypass, an attacker can hit internal services without triggering any "127.0.0.1" string-matching filters. **Example Payload:** gopher://2130706433:6379/_FLUSHALL (Targets local Redis via DWORD). **Remediation Strategy** To prevent mathematical IP obfuscation, the application must normalize the hostname before validation.
Affected packages (1)
- Packagist/craftcms/cms>= 5.0.0-RC1, < 5.9.15
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P |