CVE-2026-41129
Description
Craft CMS is a content management system (CMS). Versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14 are vulnerable to Server-Side Request Forgery. The exploitation requires a few permissions to be enabled in the used GraphQL schema: "Edit assets in the <VolumeName> volume" and "Create assets in the <VolumeName> volume." Versions 4.17.9 and 5.9.15 patch the issue.
EPSS — Exploit Prediction
EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.
Weakness Type (CWE)
References
Frequently Asked Questions
What is CVE-2026-41129? +
How do I check if I'm vulnerable to CVE-2026-41129? +
Related Vulnerabilities
pupnp is an SDK for development of UPnP device and control point applications. Prior to version 1.18.5, pupnp is vulnerable …
FastGPT is an AI Agent building platform. Prior to version 4.14.17, an unauthenticated Server-Side Request Forgery (SSRF) vulnerability allows attackers …
Squidex is an open source headless content management system and content management hub. Prior to version 7.23.0, an SSRF vulnerability …
GREENmod uses named pipes for communication between plugins, the web portal, and the system service, but the access control lists …
Twenty is an open source CRM built with NestJS (Node.js). In versions 1.18.0 and earlier, the SSRF protection in twenty-server's …
The MouseTooltipTranslator Chrome extension allows mouseover translation of any language at once. The MouseTooltipTranslator browser extension is vulnerable to SSRF …