Ghostwire

CVE-2026-31317: Craftql v1.3.7 and before is vulnerable to Server-Side Request Forgery (SSRF) which allows an attacker to execute...

MEDIUM CVSS 5.5 Exploit Available

Published: April 17, 2026 | Last Modified: April 18, 2026

Description

Craftql v1.3.7 and before is vulnerable to Server-Side Request Forgery (SSRF) which allows an attacker to execute arbitrary code via the vendor/markhuot/craftql/src/Listeners/GetAssetsFieldSchema.php file

Ghostwire Analysis — What This Means Practically

Medium CVSS score indicates moderate risk — exploitation requires specific conditions or results in limited impact.
Exploit code is reported to be available, increasing the likelihood of active exploitation.

This analysis is generated by Ghostwire from NVD, CISA KEV, EPSS, and open-source intelligence data. Verify findings through primary sources before acting.

Security Coverage (2 articles)

References

nvd.nist.gov/vuln/detail/CVE-2026-31317
github.com/markhuot/craftql
github.com/stormmmg/craftql_ssrf
github.com/stormmmg/craftql_ssrf/blob/master/craftql-ssrf-en/README_detail.md
github.com/advisories/GHSA-8wmw-prw8-2ggm
www.tenable.com/cve/CVE-2026-31317
www.cnnvd.org.cn/home/globalSearch?keyword=CVE-2026-31317