Description

Craft CMS is a content management system (CMS). In versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14, the `resource-js` endpoint in Craft CMS allows unauthenticated requests to proxy remote JavaScript resources. When `trustedHosts` is not explicitly restricted (default configuration), the application trusts the client-supplied Host header. This allows an attacker to control the derived `baseUrl`, which is used in prefix validation inside `actionResourceJs()`. By supplying a malicious Host header, the attacker can make the server issue arbitrary HTTP requests, leading to Server-Side Request Forgery (SSRF). Versions 4.17.9 and 5.9.15 patch the issue.

INFO

Published Date :

2026-04-21T23:36:31.358Z

Last Modified :

2026-04-22T14:18:56.067Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-41130 vulnerability.

Vendors Products
Craftcms
  • Craftcms
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-41130.

URL Resource
https://github.com/craftcms/cms/commit/ebe7e85f1c89700d64332f72492be2e9a594e783 cve-icon cve-icon
https://github.com/craftcms/cms/security/advisories/GHSA-95wr-3f2v-v2wh cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability