CVE-2026-31317 - Vulnerability Details

- Server‑Side Request Forgery in Craftql Enables Arbitrary Code Execution

Description

Craftql v1.3.7 and before is vulnerable to Server-Side Request Forgery (SSRF) which allows an attacker to execute arbitrary code via the vendor/markhuot/craftql/src/Listeners/GetAssetsFieldSchema.php file

Published: 2026-04-17

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Craftql prior to version 1.3.7 contains a Server‑Side Request Forgery flaw that permits an attacker to force the application to issue requests to arbitrary internal or external addresses. The flaw is triggered via the GetAssetsFieldSchema.php listener, and the attacker can supply a crafted parameter that leads the server to resolve and request a chosen URL. This vulnerable behaviour can be abused to execute arbitrary code on the host, directly compromising confidentiality, integrity, and availability of the affected system.

Affected Systems

The vulnerability affects all installations of Craftql 1.3.7 and earlier. The specific file involved is vendor/markhuot/craftql/src/Listeners/GetAssetsFieldSchema.php. No vendor product names are officially listed, but any deployment of the open‑source Craftql library within a PHP application is potentially impacted.

Risk and Exploitability

The flaw has a CVSS score of 7.5, indicating high impact, and an EPSS score of less than 1%, showing a low likelihood of exploitation. It is not listed in the CISA KEV catalog, but the existence of a publicly disclosed SSRF capable of arbitrary code execution remains a significant risk. Attackers who can access the vulnerable endpoint can craft a request that forces the application to request arbitrary URLs, potentially reaching internal services or cloud provider metadata endpoints if outbound traffic is not restricted.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

No data.

Vendor Product Confidence Versions

Markhuot

Craftql

80%

Version	Status	Scheme	Platform
`[0,1.3.7]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Craftql to the latest version (≥ 1.3.8) where the SSRF flaw has been fixed.
Restrict outbound network traffic from the Craftql host, allowing only trusted destinations to mitigate SSRF exploitation.
Deploy firewall rules or network segmentation to block access from the application server to internal services such as metadata endpoints or other sensitive resources.

Generated by OpenCVE AI on April 20, 2026 at 18:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-8wmw-prw8-2ggm	Craftql vulnerable to Server-Side Request Forgery

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00023.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/markhuot/craftql
https://github.com/stormmmg/craftql_ssrf/
https://github.com/stormmmg/craftql_ssrf/blob/master/craftql-ssrf-en/README_detail.md

History

Mon, 20 Apr 2026 19:00:00 +0000

Type	Values Removed	Values Added
Title		Server‑Side Request Forgery in Craftql Enables Arbitrary Code Execution

Mon, 20 Apr 2026 17:45:00 +0000

Type	Values Removed	Values Added
Title	SSRF in Craftql Enabling Arbitrary Code Execution
Weaknesses	CWE-78

Mon, 20 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Sat, 18 Apr 2026 17:30:00 +0000

Type	Values Removed	Values Added
Title		SSRF in Craftql Enabling Arbitrary Code Execution
Weaknesses		CWE-78 CWE-918

Fri, 17 Apr 2026 21:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Markhuot Markhuot craftql
Vendors & Products		Markhuot Markhuot craftql

Fri, 17 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		Craftql v1.3.7 and before is vulnerable to Server-Side Request Forgery (SSRF) which allows an attacker to execute arbitrary code via the vendor/markhuot/craftql/src/Listeners/GetAssetsFieldSchema.php file
References		https://github.com/markhuot/craftql https://github.com/stormmmg/craftql_ssrf/ https://github.com/stormmmg/craftql_ssrf/blob/master/craftql-ssrf-en/README_detail.md

Subscriptions

Markhuot Craftql

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-04-17T00:00:00.000Z

Updated: 2026-04-20T14:59:43.878Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31317

Vulnrichment

Updated: 2026-04-17T14:54:33.189Z

NVD

Status : Deferred

Published: 2026-04-17T14:16:33.730

Modified: 2026-04-20T16:16:42.660

Link: CVE-2026-31317

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-20T18:45:14Z

Weaknesses

CWE-918

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object