{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-31317", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-20T14:59:43.878Z", "dateReserved": "2026-03-09T00:00:00.000Z", "datePublished": "2026-04-17T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-17T13:44:19.925Z"}, "descriptions": [{"lang": "en", "value": "Craftql v1.3.7 and before is vulnerable to Server-Side Request Forgery (SSRF) which allows an attacker to execute arbitrary code via the vendor/markhuot/craftql/src/Listeners/GetAssetsFieldSchema.php file"}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/stormmmg/craftql_ssrf/"}, {"url": "https://github.com/markhuot/craftql"}, {"url": "https://github.com/stormmmg/craftql_ssrf/blob/master/craftql-ssrf-en/README_detail.md"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-918", "lang": "en", "description": "CWE-918 Server-Side Request Forgery (SSRF)"}]}], "references": [{"url": "https://github.com/stormmmg/craftql_ssrf/blob/master/craftql-ssrf-en/README_detail.md", "tags": ["exploit"]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-17T14:54:09.582961Z", "id": "CVE-2026-31317", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T14:59:43.878Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-31317", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-17T14:54:09.582961Z"}}}], "references": [{"url": "https://github.com/stormmmg/craftql_ssrf/blob/master/craftql-ssrf-en/README_detail.md", "tags": ["exploit"]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-17T14:54:33.189Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/stormmmg/craftql_ssrf/"}, {"url": "https://github.com/markhuot/craftql"}, {"url": "https://github.com/stormmmg/craftql_ssrf/blob/master/craftql-ssrf-en/README_detail.md"}], "descriptions": [{"lang": "en", "value": "Craftql v1.3.7 and before is vulnerable to Server-Side Request Forgery (SSRF) which allows an attacker to execute arbitrary code via the vendor/markhuot/craftql/src/Listeners/GetAssetsFieldSchema.php file"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-17T13:44:19.925Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31317", "state": "PUBLISHED", "dateUpdated": "2026-04-20T14:59:43.878Z", "dateReserved": "2026-03-09T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-17T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Craftql v1.3.7 and before is vulnerable to Server-Side Request Forgery (SSRF) which allows an attacker to execute arbitrary code via the vendor/markhuot/craftql/src/Listeners/GetAssetsFieldSchema.php file"}], "id": "CVE-2026-31317", "lastModified": "2026-04-20T16:16:42.660", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-17T14:16:33.730", "references": [{"source": "cve@mitre.org", "url": "https://github.com/markhuot/craftql"}, {"source": "cve@mitre.org", "url": "https://github.com/stormmmg/craftql_ssrf/"}, {"source": "cve@mitre.org", "url": "https://github.com/stormmmg/craftql_ssrf/blob/master/craftql-ssrf-en/README_detail.md"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/stormmmg/craftql_ssrf/blob/master/craftql-ssrf-en/README_detail.md"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.3.7]"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "craftql", "vendor": "markhuot"}], "analysis": {"en": {"generated_at": "2026-04-20T18:45:10.100493+00:00", "value": {"mitigation_remediation": ["Upgrade Craftql to the latest version (\u2265\u202f1.3.8) where the SSRF flaw has been fixed.", "Restrict outbound network traffic from the Craftql host, allowing only trusted destinations to mitigate SSRF exploitation.", "Deploy firewall rules or network segmentation to block access from the application server to internal services such as metadata endpoints or other sensitive resources."], "summary": {"action": "Apply Upgrade", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all installations of Craftql 1.3.7 and earlier. The specific file involved is vendor/markhuot/craftql/src/Listeners/GetAssetsFieldSchema.php. No vendor product names are officially listed, but any deployment of the open\u2011source Craftql library within a PHP application is potentially impacted.", "description_and_impact": "Craftql prior to version 1.3.7 contains a Server\u2011Side Request Forgery flaw that permits an attacker to force the application to issue requests to arbitrary internal or external addresses. The flaw is triggered via the GetAssetsFieldSchema.php listener, and the attacker can supply a crafted parameter that leads the server to resolve and request a chosen URL. This vulnerable behaviour can be abused to execute arbitrary code on the host, directly compromising confidentiality, integrity, and availability of the affected system.", "risk_and_exploitability": "The flaw has a CVSS score of 7.5, indicating high impact, and an EPSS score of less than 1%, showing a low likelihood of exploitation. It is not listed in the CISA KEV catalog, but the existence of a publicly disclosed SSRF capable of arbitrary code execution remains a significant risk. Attackers who can access the vulnerable endpoint can craft a request that forces the application to request arbitrary URLs, potentially reaching internal services or cloud provider metadata endpoints if outbound traffic is not restricted."}}}}, "created": "2026-04-17T20:40:17.646414+00:00", "title": "Server\u2011Side Request Forgery in Craftql Enables Arbitrary Code Execution", "updated": "2026-04-20T18:45:14.236951+00:00", "vendors": ["markhuot", "markhuot$PRODUCT$craftql"]}