CWE-918
Server-Side Request Forgery (SSRF)
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
CVE-2026-41461 (GCVE-0-2026-41461)
Vulnerability from cvelistv5 – Published: 2026-04-23 13:45 – Updated: 2026-04-29 19:32- CWE-918 - Server-Side Request Forgery (SSRF)
| URL | Tags |
|---|---|
| https://karmainsecurity.com/KIS-2026-07 | technical-description |
| https://socialengine.com | product |
| https://www.vulncheck.com/advisories/socialengine… | third-party-advisory |
| http://seclists.org/fulldisclosure/2026/Apr/11 |
| Vendor | Product | Version | |
|---|---|---|---|
| SocialEngine | SocialEngine |
Affected:
0 , ≤ 7.8.0
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41461",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-23T15:34:49.214715Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T15:35:00.779Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-04-29T19:32:21.152Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://seclists.org/fulldisclosure/2026/Apr/11"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "SocialEngine",
"vendor": "SocialEngine",
"versions": [
{
"lessThanOrEqual": "7.8.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Egidio Romano"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "SocialEngine versions 7.8.0 and prior contain a blind server-side request forgery vulnerability in the /core/link/preview endpoint where user-supplied input passed via the uri request parameter is not sanitized before being used to construct outbound HTTP requests. Authenticated remote attackers can supply arbitrary URLs including internal network addresses and loopback addresses to cause the server to issue HTTP requests to attacker-controlled destinations, enabling internal network enumeration and access to services not intended to be externally reachable.\u003cbr\u003e"
}
],
"value": "SocialEngine versions 7.8.0 and prior contain a blind server-side request forgery vulnerability in the /core/link/preview endpoint where user-supplied input passed via the uri request parameter is not sanitized before being used to construct outbound HTTP requests. Authenticated remote attackers can supply arbitrary URLs including internal network addresses and loopback addresses to cause the server to issue HTTP requests to attacker-controlled destinations, enabling internal network enumeration and access to services not intended to be externally reachable."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T14:55:11.876Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"technical-description"
],
"url": "https://karmainsecurity.com/KIS-2026-07"
},
{
"tags": [
"product"
],
"url": "https://socialengine.com"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/socialengine-blind-ssrf-via-core-link-preview"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "SocialEngine \u003c= 7.8.0 Blind SSRF via /core/link/preview",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-41461",
"datePublished": "2026-04-23T13:45:07.359Z",
"dateReserved": "2026-04-20T16:07:47.310Z",
"dateUpdated": "2026-04-29T19:32:21.152Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41481 (GCVE-0-2026-41481)
Vulnerability from cvelistv5 – Published: 2026-04-24 20:54 – Updated: 2026-06-30 12:08- CWE-918 - Server-Side Request Forgery (SSRF)
| URL | Tags |
|---|---|
| https://github.com/langchain-ai/langchain/securit… | x_refsource_CONFIRM |
| https://access.redhat.com/security/cve/CVE-2026-41481 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2461733 | issue-trackingx_refsource_REDHAT |
| https://security.access.redhat.com/data/csaf/v2/v… | x_sadp-csaf-vex |
| Vendor | Product | Version | |
|---|---|---|---|
| langchain-ai | langchain-text-splitters |
Affected:
< 1.1.2
|
|
| Red Hat | Migration Toolkit for Applications 8 |
cpe:/a:redhat:migration_toolkit_applications:8 |
|
| Red Hat | OpenShift Lightspeed |
cpe:/a:redhat:openshift_lightspeed |
|
| Red Hat | Red Hat Ansible Automation Platform 2 |
cpe:/a:redhat:ansible_automation_platform:2 |
|
| Red Hat | Red Hat OpenShift AI (RHOAI) |
cpe:/a:redhat:openshift_ai |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41481",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-25T01:54:07.352480Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-25T01:54:16.304Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:migration_toolkit_applications:8"
],
"defaultStatus": "affected",
"product": "Migration Toolkit for Applications 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_lightspeed"
],
"defaultStatus": "affected",
"product": "OpenShift Lightspeed",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ansible_automation_platform:2"
],
"defaultStatus": "affected",
"product": "Red Hat Ansible Automation Platform 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift AI (RHOAI)",
"vendor": "Red Hat"
}
],
"datePublic": "2026-04-24T20:54:27.713Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in LangChain and langchain-text-splitters. This vulnerability, a Server-Side Request Forgery (SSRF) bypass, allows a remote attacker to redirect a seemingly safe URL to internal network resources. By exploiting unvalidated redirects, an attacker could access sensitive data from internal, localhost, or cloud metadata endpoints. This could result in information disclosure or data exfiltration if the application processes and exposes the content from these redirected requests."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:08:48.076Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-41481"
},
{
"name": "RHBZ#2461733",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461733"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-41481.json"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-24T22:00:57.208Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-04-24T20:54:27.713Z",
"value": "Made public."
}
],
"title": "langchain-text-splitters: LangChain: Information Disclosure via Server-Side Request Forgery (SSRF) Redirect Bypass",
"workarounds": [
{
"lang": "en",
"value": "To mitigate this issue, Red Hat customers should ensure that applications utilizing LangChain\u0027s HTMLHeaderTextSplitter.split_text_from_url() function do not process untrusted or unvalidated URLs. Implement strict input validation for all URL inputs to prevent redirection to internal network resources. If an application exposes the content of processed Document objects to external requesters, consider reconfiguring the application to restrict such exposure."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"product": "langchain-text-splitters",
"vendor": "langchain-ai",
"versions": [
{
"status": "affected",
"version": "\u003c 1.1.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "LangChain is a framework for building agents and LLM-powered applications. Prior to langchain-text-splitters\n 1.1.2, HTMLHeaderTextSplitter.split_text_from_url() validated the initial URL using validate_safe_url() but then performed the fetch with requests.get() with redirects enabled (the default). Because redirect targets were not revalidated, a URL pointing to an attacker-controlled server could redirect to internal, localhost, or cloud metadata endpoints, bypassing SSRF protections. The response body is parsed and returned as Document objects to the calling application code. Whether this constitutes a data exfiltration path depends on the application: if it exposes Document contents (or derivatives) back to the requester who supplied the URL, sensitive data from internal endpoints could be leaked. Applications that store or process Documents internally without returning raw content to the requester are not directly exposed to data exfiltration through this issue. This vulnerability is fixed in 1.1.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T20:55:32.916Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-fv5p-p927-qmxr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-fv5p-p927-qmxr"
}
],
"source": {
"advisory": "GHSA-fv5p-p927-qmxr",
"discovery": "UNKNOWN"
},
"title": "LangChain: HTMLHeaderTextSplitter.split_text_from_url SSRF Redirect Bypass"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41481",
"datePublished": "2026-04-24T20:54:27.713Z",
"dateReserved": "2026-04-20T16:14:19.006Z",
"dateUpdated": "2026-06-30T12:08:48.076Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41488 (GCVE-0-2026-41488)
Vulnerability from cvelistv5 – Published: 2026-04-24 20:57 – Updated: 2026-04-27 13:40- CWE-918 - Server-Side Request Forgery (SSRF)
| URL | Tags |
|---|---|
| https://github.com/langchain-ai/langchain/securit… | x_refsource_CONFIRM |
| Vendor | Product | Version | |
|---|---|---|---|
| langchain-ai | langchain-openai |
Affected:
< 1.1.14
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41488",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-27T13:40:34.758273Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T13:40:42.065Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "langchain-openai",
"vendor": "langchain-ai",
"versions": [
{
"status": "affected",
"version": "\u003c 1.1.14"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "LangChain is a framework for building agents and LLM-powered applications. Prior to 1.1.14, langchain-openai\u0027s _url_to_size() helper (used by get_num_tokens_from_messages for image token counting) validated URLs for SSRF protection and then fetched them in a separate network operation with independent DNS resolution. This left a TOCTOU / DNS rebinding window: an attacker-controlled hostname could resolve to a public IP during validation and then to a private/localhost IP during the actual fetch."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T20:57:25.658Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-r7w7-9xr2-qq2r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-r7w7-9xr2-qq2r"
}
],
"source": {
"advisory": "GHSA-r7w7-9xr2-qq2r",
"discovery": "UNKNOWN"
},
"title": "angchain-openai: Image token counting SSRF protection can be bypassed via DNS rebinding"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41488",
"datePublished": "2026-04-24T20:57:25.658Z",
"dateReserved": "2026-04-20T16:14:19.007Z",
"dateUpdated": "2026-04-27T13:40:42.065Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41644 (GCVE-0-2026-41644)
Vulnerability from cvelistv5 – Published: 2026-05-07 11:56 – Updated: 2026-05-07 13:48| URL | Tags |
|---|---|
| https://github.com/monetr/monetr/security/advisor… | x_refsource_CONFIRM |
| https://github.com/monetr/monetr/pull/3122 | x_refsource_MISC |
| https://github.com/monetr/monetr/commit/c260caa3c… | x_refsource_MISC |
| https://github.com/monetr/monetr/releases/tag/v1.12.5 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41644",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-07T13:47:57.725746Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T13:48:06.056Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "monetr",
"vendor": "monetr",
"versions": [
{
"status": "affected",
"version": "\u003c 1.12.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "monetr is a budgeting application for recurring expenses. Prior to version 1.12.5, a server-side request forgery (SSRF) vulnerability in monetr\u0027s Lunch Flow integration allowed any authenticated user on a self-hosted instance to cause the monetr server to issue HTTP GET requests to arbitrary URLs supplied by the caller, with the response body from non-200 upstream responses reflected back in the API error message. This issue has been patched in version 1.12.5."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:H/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-209",
"description": "CWE-209: Generation of Error Message Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T11:56:37.721Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/monetr/monetr/security/advisories/GHSA-29v9-frvh-c426",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/monetr/monetr/security/advisories/GHSA-29v9-frvh-c426"
},
{
"name": "https://github.com/monetr/monetr/pull/3122",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/monetr/monetr/pull/3122"
},
{
"name": "https://github.com/monetr/monetr/commit/c260caa3c573a4a396ec2d264c7641a5d958385b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/monetr/monetr/commit/c260caa3c573a4a396ec2d264c7641a5d958385b"
},
{
"name": "https://github.com/monetr/monetr/releases/tag/v1.12.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/monetr/monetr/releases/tag/v1.12.5"
}
],
"source": {
"advisory": "GHSA-29v9-frvh-c426",
"discovery": "UNKNOWN"
},
"title": "monetr is vulnerable to server-side request forgery in Lunch Flow link creation and refresh"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41644",
"datePublished": "2026-05-07T11:56:37.721Z",
"dateReserved": "2026-04-21T23:58:43.802Z",
"dateUpdated": "2026-05-07T13:48:06.056Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41654 (GCVE-0-2026-41654)
Vulnerability from cvelistv5 – Published: 2026-05-07 13:40 – Updated: 2026-05-08 14:23| URL | Tags |
|---|---|
| https://github.com/WeblateOrg/weblate/security/ad… | x_refsource_CONFIRM |
| https://github.com/WeblateOrg/weblate/pull/19061 | x_refsource_MISC |
| https://github.com/WeblateOrg/weblate/pull/19062 | x_refsource_MISC |
| https://github.com/WeblateOrg/weblate/commit/e1ef… | x_refsource_MISC |
| https://github.com/WeblateOrg/weblate/commit/e4b6… | x_refsource_MISC |
| https://github.com/WeblateOrg/weblate/releases/ta… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| WeblateOrg | weblate |
Affected:
< 5.17.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41654",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T14:23:34.840796Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T14:23:41.296Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "weblate",
"vendor": "WeblateOrg",
"versions": [
{
"status": "affected",
"version": "\u003c 5.17.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Weblate is a web based localization tool. Prior to version 5.17.1, an authenticated user with project.add permission (default on hosted Weblate SaaS and for any user holding an active billing/trial plan) can import a crafted project backup ZIP whose components/\u003cname\u003e.json contains an attacker-chosen repo URL pointing at a private address (e.g. http://127.0.0.1:9999/) or using a non-allow-listed scheme (e.g. file://, git://). Weblate persists the component via Component.objects.bulk_create([component])[0], which bypasses Django\u0027s full_clean() and therefore never runs the validate_repo_url validator. The URL is subsequently written verbatim into .git/config by configure_repo(pull=False). This issue has been patched in version 5.17.1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T13:40:12.532Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-cwcx-382v-8m9g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-cwcx-382v-8m9g"
},
{
"name": "https://github.com/WeblateOrg/weblate/pull/19061",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/WeblateOrg/weblate/pull/19061"
},
{
"name": "https://github.com/WeblateOrg/weblate/pull/19062",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/WeblateOrg/weblate/pull/19062"
},
{
"name": "https://github.com/WeblateOrg/weblate/commit/e1eff1f517c1ee315d69581910baaabb724e5ef0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/WeblateOrg/weblate/commit/e1eff1f517c1ee315d69581910baaabb724e5ef0"
},
{
"name": "https://github.com/WeblateOrg/weblate/commit/e4b67a76d95d5165ecb9937f7485fd79223b7f14",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/WeblateOrg/weblate/commit/e4b67a76d95d5165ecb9937f7485fd79223b7f14"
},
{
"name": "https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.17.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.17.1"
}
],
"source": {
"advisory": "GHSA-cwcx-382v-8m9g",
"discovery": "UNKNOWN"
},
"title": "Weblate is Vulnerable to Authenticated SSRF via Project Backup Import bypassing validate_repo_url"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41654",
"datePublished": "2026-05-07T13:40:12.532Z",
"dateReserved": "2026-04-21T23:58:43.803Z",
"dateUpdated": "2026-05-08T14:23:41.296Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41682 (GCVE-0-2026-41682)
Vulnerability from cvelistv5 – Published: 2026-05-08 22:47 – Updated: 2026-05-11 15:56| URL | Tags |
|---|---|
| https://github.com/pupnp/pupnp/security/advisorie… | x_refsource_CONFIRM |
| https://github.com/pupnp/pupnp/commit/def5f9a2bc4… | x_refsource_MISC |
| https://github.com/pupnp/pupnp/releases/tag/relea… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41682",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T15:56:02.493041Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T15:56:09.950Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "pupnp",
"vendor": "pupnp",
"versions": [
{
"status": "affected",
"version": "\u003c 1.18.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "pupnp is an SDK for development of UPnP device and control point applications. Prior to version 1.18.5, pupnp is vulnerable to SRRF port confusion due to port truncation via atoi() cast in parse_uri(). This issue has been patched in version 1.18.5."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-195",
"description": "CWE-195: Signed to Unsigned Conversion Error",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T22:47:37.494Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pupnp/pupnp/security/advisories/GHSA-q522-6w45-4j58",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pupnp/pupnp/security/advisories/GHSA-q522-6w45-4j58"
},
{
"name": "https://github.com/pupnp/pupnp/commit/def5f9a2bc42f5b3d713e37c516fbe840ce54b7b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pupnp/pupnp/commit/def5f9a2bc42f5b3d713e37c516fbe840ce54b7b"
},
{
"name": "https://github.com/pupnp/pupnp/releases/tag/release-1.18.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pupnp/pupnp/releases/tag/release-1.18.5"
}
],
"source": {
"advisory": "GHSA-q522-6w45-4j58",
"discovery": "UNKNOWN"
},
"title": "pupnp: Port truncation via atoi() cast in parse_uri() allows SSRF port confusion"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41682",
"datePublished": "2026-05-08T22:47:37.494Z",
"dateReserved": "2026-04-22T03:53:24.406Z",
"dateUpdated": "2026-05-11T15:56:09.950Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41687 (GCVE-0-2026-41687)
Vulnerability from cvelistv5 – Published: 2026-05-07 13:48 – Updated: 2026-05-07 14:56- CWE-918 - Server-Side Request Forgery (SSRF)
| URL | Tags |
|---|---|
| https://github.com/ellite/Wallos/security/advisor… | x_refsource_CONFIRM |
| https://github.com/ellite/Wallos/commit/e79f28be6… | x_refsource_MISC |
| https://github.com/ellite/Wallos/releases/tag/v4.8.1 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41687",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-07T14:56:20.647203Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T14:56:55.979Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/ellite/Wallos/security/advisories/GHSA-4v59-hghw-7gc2"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Wallos",
"vendor": "ellite",
"versions": [
{
"status": "affected",
"version": "\u003c 4.8.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.8.1, the SSRF protection in endpoints/subscription/add.php (line 42) and endpoints/payments/add.php (line 40) uses an inline IP validation check (FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) that does not block CGNAT addresses (100.64.0.0/10, RFC 6598). The includes/ssrf_helper.php file explicitly defines is_cgnat_ip() to cover this gap (used by notification endpoints), but the logo/icon URL fetching in subscription and payment endpoints performs its own inline validation that misses this range. This allows authenticated users to perform Blind SSRF to internal services in Tailscale, Carrier-Grade NAT, and other environments using 100.64.0.0/10 addresses. This issue has been patched in version 4.8.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T13:48:43.805Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ellite/Wallos/security/advisories/GHSA-4v59-hghw-7gc2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ellite/Wallos/security/advisories/GHSA-4v59-hghw-7gc2"
},
{
"name": "https://github.com/ellite/Wallos/commit/e79f28be6be0435fbc93563fb3c0e62206b48e85",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ellite/Wallos/commit/e79f28be6be0435fbc93563fb3c0e62206b48e85"
},
{
"name": "https://github.com/ellite/Wallos/releases/tag/v4.8.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ellite/Wallos/releases/tag/v4.8.1"
}
],
"source": {
"advisory": "GHSA-4v59-hghw-7gc2",
"discovery": "UNKNOWN"
},
"title": "Wallos: SSRF CGNAT Bypass in subscription/payments Logo URL \u2014 is_cgnat_ip() Not Used in Inline Checks"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41687",
"datePublished": "2026-05-07T13:48:43.805Z",
"dateReserved": "2026-04-22T03:53:24.407Z",
"dateUpdated": "2026-05-07T14:56:55.979Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41688 (GCVE-0-2026-41688)
Vulnerability from cvelistv5 – Published: 2026-05-07 13:52 – Updated: 2026-05-07 14:57- CWE-918 - Server-Side Request Forgery (SSRF)
| URL | Tags |
|---|---|
| https://github.com/ellite/Wallos/security/advisor… | x_refsource_CONFIRM |
| https://github.com/ellite/Wallos/commit/e87387f0e… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41688",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-07T14:55:36.569657Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T14:57:10.026Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Wallos",
"vendor": "ellite",
"versions": [
{
"status": "affected",
"version": "\u003c= 4.8.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Wallos is an open-source, self-hostable personal subscription tracker. In versions 4.8.4 and prior, the incomplete SSRF fix in Wallos validates webhook URLs via gethostbyname() but passes the original hostname to cURL without CURLOPT_RESOLVE pinning on 10 of 11 outbound HTTP endpoints, leaving a DNS rebinding TOCTOU window. At time of publication, there are no publicly available patches."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T13:52:00.576Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ellite/Wallos/security/advisories/GHSA-h4g7-xv3v-q73g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ellite/Wallos/security/advisories/GHSA-h4g7-xv3v-q73g"
},
{
"name": "https://github.com/ellite/Wallos/commit/e87387f0ebb540cd33e6dfda7181db9db650ecef",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ellite/Wallos/commit/e87387f0ebb540cd33e6dfda7181db9db650ecef"
}
],
"source": {
"advisory": "GHSA-h4g7-xv3v-q73g",
"discovery": "UNKNOWN"
},
"title": "Incomplete fix for CVE-2026-33399: SSRF in Wallos"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41688",
"datePublished": "2026-05-07T13:52:00.576Z",
"dateReserved": "2026-04-22T03:53:24.407Z",
"dateUpdated": "2026-05-07T14:57:10.026Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41689 (GCVE-0-2026-41689)
Vulnerability from cvelistv5 – Published: 2026-05-07 13:53 – Updated: 2026-05-07 14:43| URL | Tags |
|---|---|
| https://github.com/ellite/Wallos/security/advisor… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41689",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-07T14:43:18.790538Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T14:43:47.455Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/ellite/Wallos/security/advisories/GHSA-jx6w-832g-42wv"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Wallos",
"vendor": "ellite",
"versions": [
{
"status": "affected",
"version": "\u003c= 4.8.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Wallos is an open-source, self-hostable personal subscription tracker. In versions 4.8.4 and prior, the webhook notification feature reuses an administrator-configured local-target allowlist for every logged-in user. Any normal user can fully control a webhook URL, headers, and body, then use Wallos to send server-side requests to allowlisted internal automation services. When such a target exposes deployment or execution APIs, this can further enable adjacent-service RCE, but that downstream result is conditional on the target service. At time of publication, there are no publicly available patches."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T13:53:12.952Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ellite/Wallos/security/advisories/GHSA-jx6w-832g-42wv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ellite/Wallos/security/advisories/GHSA-jx6w-832g-42wv"
}
],
"source": {
"advisory": "GHSA-jx6w-832g-42wv",
"discovery": "UNKNOWN"
},
"title": "Wallos: Shared local webhook allowlist lets low-privilege users send arbitrary requests to allowlisted internal services"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41689",
"datePublished": "2026-05-07T13:53:12.952Z",
"dateReserved": "2026-04-22T03:53:24.407Z",
"dateUpdated": "2026-05-07T14:43:47.455Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41854 (GCVE-0-2026-41854)
Vulnerability from cvelistv5 – Published: 2026-06-09 03:51 – Updated: 2026-06-27 21:06- CWE-918 - Server-Side Request Forgery (SSRF)
| Vendor | Product | Version | |
|---|---|---|---|
| Spring | Spring Framework |
Affected:
7.0.0 , < 7.0.7.1
(custom)
Affected: 6.2.0 , < 6.2.18.1 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41854",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T13:25:04.895135Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T13:25:15.484Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Spring Framework",
"vendor": "Spring",
"versions": [
{
"lessThan": "7.0.7.1",
"status": "affected",
"version": "7.0.0",
"versionType": "custom"
},
{
"lessThan": "6.2.18.1",
"status": "affected",
"version": "6.2.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Due to incorrect host parsing, applications that rely on UriComponentsBuilder to parse and validate an externally provided URL string may be exposed to a server-side request forgery (SSRF) attack.\n\nAffected versions:\nSpring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18."
}
],
"value": "Due to incorrect host parsing, applications that rely on UriComponentsBuilder to parse and validate an externally provided URL string may be exposed to a server-side request forgery (SSRF) attack.\n\nAffected versions:\nSpring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Incorrect host parsing in UriComponentsBuilder allows an attacker to supply an externally provided URL string that bypasses validation, resulting in a server-side request forgery attack."
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-27T21:06:18.674Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://spring.io/security/cve-2026-41854"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Spring Framework Server-Side Request Forgery via UriComponentsBuilder",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2026-41854",
"datePublished": "2026-06-09T03:51:49.021Z",
"dateReserved": "2026-04-22T06:22:10.081Z",
"dateUpdated": "2026-06-27T21:06:18.674Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
No mitigation information available for this CWE.
CAPEC-664: Server Side Request Forgery
An adversary exploits improper input validation by submitting maliciously crafted input to a target application running on a server, with the goal of forcing the server to make a request either to itself, to web services running in the server’s internal network, or to external third parties. If successful, the adversary’s request will be made with the server’s privilege level, bypassing its authentication controls. This ultimately allows the adversary to access sensitive data, execute commands on the server’s network, and make external requests with the stolen identity of the server. Server Side Request Forgery attacks differ from Cross Site Request Forgery attacks in that they target the server itself, whereas CSRF attacks exploit an insecure user authentication mechanism to perform unauthorized actions on the user's behalf.