{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41130", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-17T12:59:15.737Z", "datePublished": "2026-04-21T23:36:31.358Z", "dateUpdated": "2026-04-21T23:36:31.358Z"}, "containers": {"cna": {"title": "Craft CMS has a host header injection leading to SSRF via resource-js endpoint", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/craftcms/cms/security/advisories/GHSA-95wr-3f2v-v2wh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-95wr-3f2v-v2wh"}, {"name": "https://github.com/craftcms/cms/commit/ebe7e85f1c89700d64332f72492be2e9a594e783", "tags": ["x_refsource_MISC"], "url": "https://github.com/craftcms/cms/commit/ebe7e85f1c89700d64332f72492be2e9a594e783"}], "affected": [{"vendor": "craftcms", "product": "cms", "versions": [{"version": ">= 5.0.0-RC1, < 5.9.15", "status": "affected"}, {"version": ">= 4.0.0-RC1, < 4.17.9", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T23:36:31.358Z"}, "descriptions": [{"lang": "en", "value": "Craft CMS is a content management system (CMS). In versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14, the `resource-js` endpoint in Craft CMS allows unauthenticated requests to proxy remote JavaScript resources. \nWhen `trustedHosts` is not explicitly restricted (default configuration), the application trusts the client-supplied Host header. This allows an attacker to control the derived `baseUrl`, which is used in prefix validation inside `actionResourceJs()`. By supplying a malicious Host header, the attacker can make the server issue arbitrary HTTP requests, leading to Server-Side Request Forgery (SSRF). Versions 4.17.9 and 5.9.15 patch the issue."}], "source": {"advisory": "GHSA-95wr-3f2v-v2wh", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Craft CMS is a content management system (CMS). In versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14, the `resource-js` endpoint in Craft CMS allows unauthenticated requests to proxy remote JavaScript resources. \nWhen `trustedHosts` is not explicitly restricted (default configuration), the application trusts the client-supplied Host header. This allows an attacker to control the derived `baseUrl`, which is used in prefix validation inside `actionResourceJs()`. By supplying a malicious Host header, the attacker can make the server issue arbitrary HTTP requests, leading to Server-Side Request Forgery (SSRF). Versions 4.17.9 and 5.9.15 patch the issue."}], "id": "CVE-2026-41130", "lastModified": "2026-04-22T00:16:28.880", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-22T00:16:28.880", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/craftcms/cms/commit/ebe7e85f1c89700d64332f72492be2e9a594e783"}, {"source": "security-advisories@github.com", "url": "https://github.com/craftcms/cms/security/advisories/GHSA-95wr-3f2v-v2wh"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T02:09:08.484784+00:00", "value": {"mitigation_remediation": ["Upgrade Craft CMS to version 4.17.9 or newer, or 5.9.15 or newer. ", "Configure the trustedHosts setting to restrict acceptable Host header values to known, trusted domains, thereby preventing arbitrary baseUrl derivations. ", "Restrict unauthenticated access to the /resource-js endpoint via web\u2011server rules or firewall rules to reduce the attack surface."], "summary": {"action": "Immediate Patch", "impact": "Server\u2011Side Request Forgery via host header injection"}, "threat_synthesis": {"affected_systems": "Craft CMS versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14 are affected. Versions 4.17.9 and later, as well as 5.9.15 and later, contain the fix.", "description_and_impact": "Craft CMS fails to constrain the Host header when the trustedHosts setting is not configured, allowing an attacker to influence the baseUrl used for prefix validation in the resource\u2011js endpoint. By sending a crafted Host header, the application can be made to fetch arbitrary remote resources, resulting in Server\u2011Side Request Forgery. This flaw does not require authentication and can enable access to internal network services or data exposed behind the CMS stack.", "risk_and_exploitability": "The vulnerability receives a CVSS score of 5.5, placing it in the moderate range. Because EPSS information is unavailable and the issue is not listed in CISA KEV, the likelihood of contemporary exploitation is uncertain, but the flaw can be exploited unauthenticated by simply forging a Host header. Once leveraged, the attack can be used to probe internal network services or exfiltrate data that the Craft CMS instance can reach. Patching to 4.17.9 or 5.9.15 removes the vulnerability."}}}}, "created": "2026-04-22T02:15:05.401937+00:00", "updated": "2026-04-22T02:15:05.401948+00:00", "vendors": []}