CVE-2026-41129
Server-Side Request Forgery (SSRF) in Craft CMS with Asset Uploads Mutations
描述
## Required Permissions The exploitation requires a few permissions to be enabled in the used GraphQL schema: * "Edit assets in the <VolumeName> volume" * "Create assets in the <VolumeName> volume" ## Details The implementation fails to restrict the URL Scheme. While the application is intended to "upload assets", there is no whitelist forcing `http` or `https`. This allows attackers to use the Gopher protocol to wrap raw TCP commands. **Impact:** Combined with the DWORD bypass, an attacker can hit internal services without triggering any "127.0.0.1" string-matching filters. **Example Payload:** gopher://2130706433:6379/_FLUSHALL (Targets local Redis via DWORD). **Remediation Strategy** To prevent mathematical IP obfuscation, the application must normalize the hostname before validation.
如何修補 CVE-2026-41129
要修補 CVE-2026-41129,請將受影響套件升級到下列已修補版本。
- —升級至 5.9.15 或更新版本
CVE-2026-41129 正在被利用嗎?
低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- >= 5.0.0-RC1, < 5.9.15
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P |