CVE-2026-41130

UNKNOWN 0.0

Craft CMS has a host header injection leading to SSRF via resource-js endpoint

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Craft CMS is a content management system (CMS). In versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14, the `resource-js` endpoint in Craft CMS allows unauthenticated requests to proxy remote JavaScript resources. When `trustedHosts` is not explicitly restricted (default configuration), the application trusts the client-supplied Host header. This allows an attacker to control the derived `baseUrl`, which is used in prefix validation inside `actionResourceJs()`. By supplying a malicious Host header, the attacker can make the server issue arbitrary HTTP requests, leading to Server-Side Request Forgery (SSRF). Versions 4.17.9 and 5.9.15 patch the issue.

CWE	CWE-918
Vendor	craftcms
Product	cms
Published	Apr 21, 2026

Stay Ahead of the Next One

Get instant alerts for craftcms cms

Be the first to know when new unknown vulnerabilities affecting craftcms cms are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

craftcms / cms

>= 5.0.0-RC1, < 5.9.15 >= 4.0.0-RC1, < 4.17.9

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/craftcms/cms/security/advisories/GHSA-95wr-3f2v-v2wh github.com: https://github.com/craftcms/cms/commit/ebe7e85f1c89700d64332f72492be2e9a594e783