Craft CMS has a host header injection leading to SSRF via resource-js endpoint

CVE-2026-41130 → View on GitHub ↗ View on CVE.org ↗ View on NVD ↗

Description

Summary

The resource-js endpoint in Craft CMS allows unauthenticated requests to proxy remote JavaScript resources.
When trustedHosts is not explicitly restricted (default configuration), the application trusts the client-supplied Host header.

This allows an attacker to control the derived baseUrl, which is used in prefix validation inside actionResourceJs().
By supplying a malicious Host header, the attacker can make the server issue arbitrary HTTP requests, leading to Server-Side Request Forgery (SSRF).

Details

The vulnerability exists in AppController::actionResourceJs().

The function validates that the url parameter starts with assetManager->baseUrl. However, baseUrl is derived from the current request host. If trustedHosts is not configured, the Host header is fully attacker-controlled.

Attack chain:

  1. Attacker sends request with controlled Host header.
  2. Application derives baseUrl from the malicious Host.
  3. url parameter is required to start with this baseUrl.
  4. Validation passes.
  5. Guzzle performs a server-side HTTP request to the attacker-controlled host.
  6. SSRF occurs.

This does not rely on string parsing bypass. It relies on Host header trust.

PoC (safe reproduction steps)

Environment:
- Craft CMS 5.9.12
- Default configuration (no trustedHosts restriction)
- Docker deployment

  1. Start a listener inside the container:
    python3 -m http.server 9999

  2. Send a request to resource-js with a controlled Host header.

  3. Observe that the internal listener receives a request (OOB confirmation).

Basic information

Type
reviewed
Severity
medium
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2026-04-14 23:36:09 UTC
Updated
2026-04-24 20:42:25 UTC
GitHub reviewed
2026-04-14 23:36:09 UTC
NVD published
2026-04-22 00:16:28 UTC

EPSS Score

Score Percentile
0.04% 10.56%

CVSS Scores

Base score Version Severity Vector
5.5 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network.
Attack complexity (AC:L)
Exploitation conditions are straightforward and stable.
Attack requirements (AT:N)
No additional preconditions are required beyond normal reachability.
Privileges required (PR:H)
High privileges are required.
User interaction (UI:N)
No user interaction is required.
Vulnerable system confidentiality impact (VC:H)
High confidentiality impact on the vulnerable system.
Vulnerable system integrity impact (VI:L)
Limited integrity impact on the vulnerable system.
Vulnerable system availability impact (VA:N)
No availability impact on the vulnerable system.
Subsequent system confidentiality impact (SC:N)
No confidentiality impact on subsequent systems.
Subsequent system integrity impact (SI:N)
No integrity impact on subsequent systems.
Subsequent system availability impact (SA:N)
No availability impact on subsequent systems.
Exploit maturity (threat) (E:P)
Proof-of-concept: public PoC exists; no reported exploitation and no known simplification tools.

Identifiers

Type Value
GHSA GHSA-95wr-3f2v-v2wh ↗
CVE CVE-2026-41130 ↗

CWEs

CWE id Name
CWE-918 Server-Side Request Forgery (SSRF)

Credits

  • HuajiHD (reporter)

Affected packages (2)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
composer craftcms/cms >= 5.0.0-RC1, <= 5.9.14 5.9.15
composer craftcms/cms >= 4.0.0-RC1, <= 4.17.8 4.17.9

References

cvelogic Threat Intelligence