Vulnerability Description
Craft CMS is a content management system (CMS). In versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14, the `resource-js` endpoint in Craft CMS allows unauthenticated requests to proxy remote JavaScript resources. When `trustedHosts` is not explicitly restricted (default configuration), the application trusts the client-supplied Host header. This allows an attacker to control the derived `baseUrl`, which is used in prefix validation inside `actionResourceJs()`. By supplying a malicious Host header, the attacker can make the server issue arbitrary HTTP requests, leading to Server-Side Request Forgery (SSRF). Versions 4.17.9 and 5.9.15 patch the issue.
Related Weaknesses (CWE)
References
- https://github.com/craftcms/cms/commit/ebe7e85f1c89700d64332f72492be2e9a594e783
- https://github.com/craftcms/cms/security/advisories/GHSA-95wr-3f2v-v2wh
- https://github.com/craftcms/cms/security/advisories/GHSA-95wr-3f2v-v2wh
FAQ
What is CVE-2026-41130?
CVE-2026-41130 is a documented vulnerability. Craft CMS is a content management system (CMS). In versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14, the `resource-js` endpoint in Craft CMS allows unauthenticated requests ...
How severe is CVE-2026-41130?
CVSS scoring is not yet available for CVE-2026-41130. Check NVD for updates.
Is there a patch for CVE-2026-41130?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.