5.9.15
CVE-2026-41130 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in Craft CMS. This flaw allows unauthenticated attackers to proxy remote JavaScript resources by manipulating the Host header. The vulnerability impacts versions 4.0.0-RC1 through 5.9.14, and a fix is available in version 4.17.9.
The SSRF vulnerability in Craft CMS arises from the application's trust of the client-supplied Host header when determining the baseUrl used in prefix validation within the actionResourceJs() function. Without explicit restrictions on trustedHosts, an attacker can craft a malicious Host header, effectively controlling the HTTP requests made by the server. This enables the attacker to initiate arbitrary HTTP requests to internal or external resources, potentially exposing sensitive data or interacting with internal services that should not be directly accessible from the internet. The impact is amplified if the server has access to sensitive internal resources or APIs.
CVE-2026-41130 was publicly disclosed on 2026-04-21. There is no indication of active exploitation campaigns at this time. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept code is not yet widely available, but the vulnerability's nature makes it likely that such code will emerge.
Exploit Status
EPSS
0.05% (14% percentile)
CISA SSVC
The primary mitigation for CVE-2026-41130 is to upgrade Craft CMS to version 4.17.9 or later. Prior to upgrading, carefully review the release notes for any breaking changes that might impact your application's functionality. As a temporary workaround, restrict the trustedHosts configuration setting to only allow trusted domains. This limits the server's ability to proxy requests to unauthorized locations. Monitor server logs for unusual outbound HTTP requests originating from the resource-js endpoint. Consider implementing a Web Application Firewall (WAF) with rules to block requests with suspicious Host headers.
Update Craft CMS to version 4.17.9 or later, or to version 5.9.15 or later. This update fixes the host header injection vulnerability that allows cross-site request forgery (SSRF) attacks by restricting trust in the client-provided Host header.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-41130 is a Server-Side Request Forgery (SSRF) vulnerability in Craft CMS that allows attackers to proxy remote JavaScript resources by manipulating the Host header.
You are affected if you are running Craft CMS versions 4.0.0-RC1 through 5.9.14 and have not explicitly restricted the trustedHosts configuration.
Upgrade Craft CMS to version 4.17.9 or later. As a temporary workaround, restrict the trustedHosts configuration setting to only allow trusted domains.
There is currently no indication of active exploitation campaigns, but the vulnerability's nature makes it likely that exploitation will occur.
Refer to the official Craft CMS security advisory for detailed information and updates: [https://craftcms.com/security/advisories](https://craftcms.com/security/advisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.