Description
Craft CMS is a content management system (CMS). In versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14, the `resource-js` endpoint in Craft CMS allows unauthenticated requests to proxy remote JavaScript resources.
When `trustedHosts` is not explicitly restricted (default configuration), the application trusts the client-supplied Host header. This allows an attacker to control the derived `baseUrl`, which is used in prefix validation inside `actionResourceJs()`. By supplying a malicious Host header, the attacker can make the server issue arbitrary HTTP requests, leading to Server-Side Request Forgery (SSRF). Versions 4.17.9 and 5.9.15 patch the issue.
Published: 2026-04-21
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery via host header injection
Action: Patch
AI Analysis

Impact

Craft CMS fails to validate the Host header when the trustedHosts configuration is not set, allowing an attacker to manipulate the baseUrl that is used for prefix validation in the resource‑js endpoint. By supplying a crafted Host header in an unauthenticated request, the application can be made to fetch arbitrary remote resources, enabling Server‑Side Request Forgery. This flaw is a classic exposure of the application to external requests and is classified as CWE‑918.

Affected Systems

Craft CMS versions on the 4.x branch up to and including 4.17.8 and on the 5.x branch up to and including 5.9.14 are affected. Versions 4.17.9 and newer, as well as 5.9.15 and newer, contain the fix.

Risk and Exploitability

The vulnerability has a CVSS score of 5.5, placing it in the moderate severity range. EPSS information is not available, and it is not listed in the CISA KEV catalog, so the current exploitation likelihood is uncertain. However, because the flaw can be triggered via unauthenticated forged Host headers, an attacker could probe internal network services or exfiltrate data that the Craft CMS instance can reach. Upgrading to a patched version removes the vulnerability.

Generated by OpenCVE AI on April 22, 2026 at 06:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Craft CMS to version 4.17.9 or later, or 5.9.15 or later.
  • Configure the trustedHosts setting to restrict acceptable Host header values to known, trusted domains, preventing arbitrary baseUrl derivations.
  • Restrict unauthenticated access to the /resource‑js endpoint via web‑server rules or firewall rules to reduce the attack surface.

Generated by OpenCVE AI on April 22, 2026 at 06:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms
Craftcms craftcms
Vendors & Products Craftcms
Craftcms craftcms

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Craft CMS is a content management system (CMS). In versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14, the `resource-js` endpoint in Craft CMS allows unauthenticated requests to proxy remote JavaScript resources. When `trustedHosts` is not explicitly restricted (default configuration), the application trusts the client-supplied Host header. This allows an attacker to control the derived `baseUrl`, which is used in prefix validation inside `actionResourceJs()`. By supplying a malicious Host header, the attacker can make the server issue arbitrary HTTP requests, leading to Server-Side Request Forgery (SSRF). Versions 4.17.9 and 5.9.15 patch the issue.
Title Craft CMS has a host header injection leading to SSRF via resource-js endpoint
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 5.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Craftcms Craftcms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-22T14:18:56.067Z

Reserved: 2026-04-17T12:59:15.737Z

Link: CVE-2026-41130

cve-icon Vulnrichment

Updated: 2026-04-22T14:17:25.927Z

cve-icon NVD

Status : Received

Published: 2026-04-22T00:16:28.880

Modified: 2026-04-22T15:16:16.507

Link: CVE-2026-41130

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:30:15Z

Weaknesses