CVE-2026-41130

Name of the Vulnerable Software and Affected Versions Craft CMS versions 4.x through 4.17.8 Craft CMS versions 5.x through 5.9.14

Description The resource-js endpoint allows unauthenticated requests to proxy remote JavaScript resources. When trustedHosts is not explicitly restricted, the application trusts the client-supplied Host header, allowing an attacker to control the derived baseUrl used in prefix validation inside the actionResourceJs() function. By supplying a malicious Host header, an attacker can force the server to issue arbitrary HTTP requests, resulting in Server-Side Request Forgery (SSRF), a condition where the server is coerced into making requests to an unintended location.

Recommendations Update versions 4.x through 4.17.8 to version 4.17.9. Update versions 5.x through 5.9.14 to version 5.9.15. Explicitly restrict trustedHosts to prevent the application from trusting client-supplied Host headers.