diff --git a/package.json b/package.json
index a65f6b65..e73e923a 100644
--- a/package.json
+++ b/package.json
@@ -23,7 +23,7 @@
     "url": "git+https://github.com/opencor/webapp.git"
   },
   "type": "module",
-  "version": "0.20260330.0",
+  "version": "0.20260330.1",
   "engines": {
     "bun": ">=1.2.0"
   },
diff --git a/src/extern/corsProxy.js b/src/extern/corsProxy.js
index d2c6e60c..d2b97d6c 100644
--- a/src/extern/corsProxy.js
+++ b/src/extern/corsProxy.js
@@ -16,8 +16,12 @@ export default {
 
       const parsedUrl = new URL(targetUrl);
       const allowedHosts = ['cellml.org', 'opencor.ws', 'physiomeproject.org'];
+      const allowedExtensions = ['.cellml', '.sedml', '.omex', '.csv'];
 
-      if (!allowedHosts.some((host) => parsedUrl.hostname.endsWith(host))) {
+      if (
+        !allowedHosts.some((host) => parsedUrl.hostname.endsWith(host)) &&
+        !allowedExtensions.some((extension) => parsedUrl.pathname.toLowerCase().endsWith(extension))
+      ) {
         return new Response('Target URL is not allowed.', { status: 403 });
       }
 
diff --git a/src/renderer/package.json b/src/renderer/package.json
index c01b8d4e..28cd02a2 100644
--- a/src/renderer/package.json
+++ b/src/renderer/package.json
@@ -42,7 +42,7 @@
     },
     "./style.css": "./dist/opencor.css"
   },
-  "version": "0.20260330.0",
+  "version": "0.20260330.1",
   "scripts": {
     "build": "vite build && bun scripts/generate.version.js",
     "build:lib": "vite build --config vite.lib.config.ts && bunx --bun vue-tsc --project tsconfig.lib.types.json",