Origin Validation Error Affecting craftcms/cms package, versions >=4.0.0-RC1, <4.18>=5.0.0-RC1, <5.10


Severity

Recommended
0.0
critical
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.33% (25th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-PHP-CRAFTCMSCMS-17660443
  • published27 Jun 2026
  • disclosed19 Jun 2026
  • creditseoyoung-kang

Introduced: 19 Jun 2026

NewCVE-2026-55791  (opens in a new tab)
CWE-346  (opens in a new tab)

How to fix?

Upgrade craftcms/cms to version 4.18, 5.10 or higher.

Overview

craftcms/cms is a content management system.

Affected versions of this package are vulnerable to Origin Validation Error via the actionResourceJs process. An attacker can execute arbitrary JavaScript in the context of an administrator's browser and potentially achieve remote code execution by poisoning the Host or X-Forwarded-Host headers, which manipulates the application's base URL and causes the backend to fetch and serve attacker-controlled JavaScript. This can result in web cache poisoning, leading to stored malicious scripts being executed by privileged users. This is only exploitable if assetManager.cacheSourcePaths is set to false and the default permissive trustedHosts configuration is in place.

CVSS Base Scores

version 4.0
version 3.1