Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-smdx-nfbs-2qbx
Vulnerability ID VCID-smdx-nfbs-2qbx
Aliases CVE-2026-41130
GHSA-95wr-3f2v-v2wh
Summary Craft CMS is a content management system (CMS). In versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14, the `resource-js` endpoint in Craft CMS allows unauthenticated requests to proxy remote JavaScript resources. When `trustedHosts` is not explicitly restricted (default configuration), the application trusts the client-supplied Host header. This allows an attacker to control the derived `baseUrl`, which is used in prefix validation inside `actionResourceJs()`. By supplying a malicious Host header, the attacker can make the server issue arbitrary HTTP requests, leading to Server-Side Request Forgery (SSRF). Versions 4.17.9 and 5.9.15 patch the issue.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-918 Server-Side Request Forgery (SSRF)
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00051 https://api.first.org/data/v1/epss?cve=CVE-2026-41130
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-95wr-3f2v-v2wh
cvssv4 5.5 https://github.com/craftcms/cms
generic_textual MODERATE https://github.com/craftcms/cms
cvssv4 5.5 https://github.com/craftcms/cms/commit/ebe7e85f1c89700d64332f72492be2e9a594e783
generic_textual MODERATE https://github.com/craftcms/cms/commit/ebe7e85f1c89700d64332f72492be2e9a594e783
ssvc Track https://github.com/craftcms/cms/commit/ebe7e85f1c89700d64332f72492be2e9a594e783
cvssv3.1_qr MODERATE https://github.com/craftcms/cms/security/advisories/GHSA-95wr-3f2v-v2wh
cvssv4 5.5 https://github.com/craftcms/cms/security/advisories/GHSA-95wr-3f2v-v2wh
generic_textual MODERATE https://github.com/craftcms/cms/security/advisories/GHSA-95wr-3f2v-v2wh
ssvc Track https://github.com/craftcms/cms/security/advisories/GHSA-95wr-3f2v-v2wh
cvssv4 5.5 https://nvd.nist.gov/vuln/detail/CVE-2026-41130
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2026-41130
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-41130
https://nvd.nist.gov/vuln/detail/CVE-2026-41130
ebe7e85f1c89700d64332f72492be2e9a594e783 https://github.com/craftcms/cms/commit/ebe7e85f1c89700d64332f72492be2e9a594e783
GHSA-95wr-3f2v-v2wh https://github.com/advisories/GHSA-95wr-3f2v-v2wh
GHSA-95wr-3f2v-v2wh https://github.com/craftcms/cms/security/advisories/GHSA-95wr-3f2v-v2wh
No exploits are available.
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P Found at https://github.com/craftcms/cms
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P Found at https://github.com/craftcms/cms/commit/ebe7e85f1c89700d64332f72492be2e9a594e783
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-22T14:18:44Z/ Found at https://github.com/craftcms/cms/commit/ebe7e85f1c89700d64332f72492be2e9a594e783
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P Found at https://github.com/craftcms/cms/security/advisories/GHSA-95wr-3f2v-v2wh
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-22T14:18:44Z/ Found at https://github.com/craftcms/cms/security/advisories/GHSA-95wr-3f2v-v2wh
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P Found at https://nvd.nist.gov/vuln/detail/CVE-2026-41130
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.1628
EPSS Score 0.00051
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T16:51:21.569925+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2026/41xxx/CVE-2026-41130.json 38.6.0