CVE-2026-31317 | THREATINT

Description

Craftql v1.3.7 and before is vulnerable to Server-Side Request Forgery (SSRF) which allows an attacker to execute arbitrary code via the vendor/markhuot/craftql/src/Listeners/GetAssetsFieldSchema.php file

PUBLISHED Reserved 2026-03-09 | Published 2026-04-17 | Updated 2026-04-20 | Assigner mitre

References

github.com/...f/blob/master/craftql-ssrf-en/README_detail.md exploit

github.com/stormmmg/craftql_ssrf/

github.com/markhuot/craftql

github.com/...f/blob/master/craftql-ssrf-en/README_detail.md

cve.org (CVE-2026-31317)

nvd.nist.gov (CVE-2026-31317)

Download JSON