SSRF in Craftcms Cms

CVE-2026-41130

Craft CMS is a content management system (CMS). In versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14, the `resource-js` endpoint in Craft CMS allows unauthenticated requests to proxy remote JavaScript resources. …

Vulnerability class: SSRF (Server-Side Request Forgery)

EPSS: 0.001 (16.2th percentile) — read the EPSS interpretation.

Affected products

Craftcms Cms — versions >= 5.0.0-RC1, < 5.9.15, >= 4.0.0-RC1, < 4.17.9

Weakness classification (CWE)

CWE-918 — Server-Side Request Forgery (SSRF)

References

https://github.com/craftcms/cms/security/advisories/GHSA-95wr-3f2v-v2wh (x_refsource_CONFIRM)
https://github.com/craftcms/cms/commit/ebe7e85f1c89700d64332f72492be2e9a594e783 (x_refsource_MISC)