CWE-918
Server-Side Request Forgery (SSRF)
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
CVE-2026-0532 (GCVE-0-2026-0532)
Vulnerability from cvelistv5 – Published: 2026-01-14 10:14 – Updated: 2026-01-14 16:18
VLAI
Title
External Control of File Name or Path and Server-Side Request Forgery (SSRF) in Kibana Google Gemini Connector
Summary
External Control of File Name or Path (CWE-73) combined with Server-Side Request Forgery (CWE-918) can allow an attacker to cause arbitrary file disclosure through a specially crafted credentials JSON payload in the Google Gemini connector configuration. This requires an attacker to have authenticated access with privileges sufficient to create or modify connectors (Alerts & Connectors: All). The server processes a configuration without proper validation, allowing for arbitrary network requests and for arbitrary file reads.
Severity
8.6 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
1 reference
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0532",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T16:17:27.816904Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T16:18:47.674Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Kibana",
"vendor": "Elastic",
"versions": [
{
"lessThanOrEqual": "8.19.9",
"status": "affected",
"version": "8.15.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.1.9",
"status": "affected",
"version": "9.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.2.3",
"status": "affected",
"version": "9.2.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eExternal Control of File Name or Path (CWE-73) combined with Server-Side Request Forgery (CWE-918) can allow an attacker to cause arbitrary file disclosure through a specially crafted credentials JSON payload in the Google Gemini connector configuration. This requires an attacker to have authenticated access with privileges sufficient to create or modify connectors (Alerts \u0026 Connectors: All). The server processes a configuration without proper validation, allowing for arbitrary network requests and for arbitrary file reads.\u003c/p\u003e"
}
],
"value": "External Control of File Name or Path (CWE-73) combined with Server-Side Request Forgery (CWE-918) can allow an attacker to cause arbitrary file disclosure through a specially crafted credentials JSON payload in the Google Gemini connector configuration. This requires an attacker to have authenticated access with privileges sufficient to create or modify connectors (Alerts \u0026 Connectors: All). The server processes a configuration without proper validation, allowing for arbitrary network requests and for arbitrary file reads."
}
],
"impacts": [
{
"capecId": "CAPEC-76",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-76 Manipulating Web Input to File System Calls"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T10:14:57.415Z",
"orgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a",
"shortName": "elastic"
},
"references": [
{
"url": "https://discuss.elastic.co/t/kibana-8-19-10-9-1-10-9-2-4-security-update-esa-2026-05/384524"
}
],
"source": {
"discovery": "Elastic"
},
"title": "External Control of File Name or Path and Server-Side Request Forgery (SSRF) in Kibana Google Gemini Connector",
"x_generator": {
"engine": "Elastic CVE Publisher 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a",
"assignerShortName": "elastic",
"cveId": "CVE-2026-0532",
"datePublished": "2026-01-14T10:14:57.415Z",
"dateReserved": "2025-12-19T16:02:39.148Z",
"dateUpdated": "2026-01-14T16:18:47.674Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0560 (GCVE-0-2026-0560)
Vulnerability from cvelistv5 – Published: 2026-03-29 17:51 – Updated: 2026-03-30 15:33
VLAI
Title
Server-Side Request Forgery (SSRF) in parisneo/lollms
Summary
A Server-Side Request Forgery (SSRF) vulnerability exists in parisneo/lollms versions prior to 2.2.0, specifically in the `/api/files/export-content` endpoint. The `_download_image_to_temp()` function in `backend/routers/files.py` fails to validate user-controlled URLs, allowing attackers to make arbitrary HTTP requests to internal services and cloud metadata endpoints. This vulnerability can lead to internal network access, cloud metadata access, information disclosure, port scanning, and potentially remote code execution.
Severity
7.5 (High)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| parisneo | parisneo/lollms |
Affected:
unspecified , < 2.2.0
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0560",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-30T15:33:20.974551Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-30T15:33:31.963Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "parisneo/lollms",
"vendor": "parisneo",
"versions": [
{
"lessThan": "2.2.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Server-Side Request Forgery (SSRF) vulnerability exists in parisneo/lollms versions prior to 2.2.0, specifically in the `/api/files/export-content` endpoint. The `_download_image_to_temp()` function in `backend/routers/files.py` fails to validate user-controlled URLs, allowing attackers to make arbitrary HTTP requests to internal services and cloud metadata endpoints. This vulnerability can lead to internal network access, cloud metadata access, information disclosure, port scanning, and potentially remote code execution."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-29T17:51:20.708Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntr_ai"
},
"references": [
{
"url": "https://huntr.com/bounties/65e43a5e-b902-4369-b738-1825285a3ea5"
},
{
"url": "https://github.com/parisneo/lollms/commit/76a54f0df2df8a5b254aa627d487b5dc939a0263"
}
],
"source": {
"advisory": "65e43a5e-b902-4369-b738-1825285a3ea5",
"discovery": "EXTERNAL"
},
"title": "Server-Side Request Forgery (SSRF) in parisneo/lollms"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntr_ai",
"cveId": "CVE-2026-0560",
"datePublished": "2026-03-29T17:51:20.708Z",
"dateReserved": "2026-01-01T22:10:15.839Z",
"dateUpdated": "2026-03-30T15:33:31.963Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0600 (GCVE-0-2026-0600)
Vulnerability from cvelistv5 – Published: 2026-01-14 22:29 – Updated: 2026-01-15 14:51
VLAI
Title
Nexus Repository 3 - Server-Side Request Forgery in Proxy Repository Configuration
Summary
Server-Side Request Forgery (SSRF) vulnerability in Sonatype Nexus Repository 3 versions 3.0.0 and later allows authenticated administrators to configure proxy repositories with URLs that can access unintended network destinations, potentially including cloud metadata services and internal network resources. A workaround configuration is available starting in version 3.88.0, but the product remains vulnerable by default.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://support.sonatype.com/hc/en-us/articles/47… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Sonatype | Nexus Repository |
Affected:
3.0.0 , < *
(semver)
cpe:2.3:a:sonatype:nexus_repository_manager:3.0.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.0.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.0.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.1.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.2.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.2.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.3.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.3.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.3.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.4.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.5.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.5.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.5.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.6.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.6.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.6.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.7.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.7.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.8.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.9.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.10.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.11.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.12.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.12.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.13.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.14.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.15.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.15.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.15.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.16.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.16.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.16.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.17.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.18.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.18.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.19.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.19.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.20.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.20.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.21.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.21.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.21.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.22.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.22.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.23.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.24.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.25.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.25.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.26.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.26.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.27.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.28.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.28.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.29.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.29.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.30.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.30.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.31.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.31.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.32.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.32.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.33.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.33.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.34.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.34.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.35.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.36.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.37.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.37.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.37.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.37.3:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.38.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.38.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.39.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.40.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.40.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.41.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.41.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.42.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.43.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.44.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.45.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.45.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.46.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.47.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.47.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.48.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.49.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.50.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.51.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.52.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.53.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.53.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.54.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.54.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.55.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.56.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.57.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.57.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.58.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.58.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.59.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.60.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.61.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.62.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.63.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.64.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.65.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.66.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.67.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.67.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.68.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.68.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.69.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.70.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.70.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.70.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.70.3:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.71.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.72.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.73.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.74.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.75.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.75.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.76.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.76.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.77.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.78.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.78.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.79.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.80.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.81.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.82.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.83.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.83.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.83.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.84.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.84.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.85.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.86.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.86.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.87.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.87.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.88.0:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0600",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-15T14:50:50.803243Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-15T14:51:42.898Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:sonatype:nexus_repository_manager:3.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.1.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.2.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.2.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.3.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.3.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.3.2:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.4.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.5.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.5.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.5.2:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.6.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.6.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.6.2:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.7.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.7.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.8.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.9.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.10.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.11.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.12.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.12.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.13.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.14.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.15.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.15.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.15.2:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.16.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.16.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.16.2:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.17.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.18.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.18.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.19.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.19.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.20.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.20.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.21.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.21.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.21.2:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.22.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.22.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.23.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.24.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.25.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.25.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.26.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.26.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.27.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.28.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.28.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.29.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.29.2:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.30.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.30.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.31.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.31.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.32.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.32.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.33.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.33.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.34.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.34.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.35.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.36.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.37.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.37.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.37.2:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.37.3:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.38.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.38.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.39.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.40.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.40.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.41.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.41.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.42.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.43.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.44.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.45.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.45.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.46.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.47.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.47.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.48.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.49.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.50.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.51.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.52.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.53.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.53.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.54.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.54.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.55.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.56.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.57.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.57.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.58.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.58.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.59.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.60.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.61.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.62.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.63.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.64.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.65.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.66.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.67.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.67.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.68.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.68.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.69.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.70.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.70.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.70.2:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.70.3:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.71.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.72.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.73.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.74.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.75.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.75.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.76.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.76.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.77.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.78.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.78.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.79.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.80.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.81.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.82.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.83.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.83.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.83.2:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.84.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.84.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.85.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.86.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.86.2:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.87.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.87.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.88.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Nexus Repository",
"vendor": "Sonatype",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kazuma Matsumoto of GMO Cybersecurity by IERAE, Inc."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Server-Side Request Forgery (SSRF) vulnerability in Sonatype Nexus Repository 3 versions 3.0.0 and later allows authenticated administrators to configure proxy repositories with URLs that can access unintended network destinations, potentially including cloud metadata services and internal network resources. A workaround configuration is available starting in version 3.88.0, but the product remains vulnerable by default."
}
],
"value": "Server-Side Request Forgery (SSRF) vulnerability in Sonatype Nexus Repository 3 versions 3.0.0 and later allows authenticated administrators to configure proxy repositories with URLs that can access unintended network destinations, potentially including cloud metadata services and internal network resources. A workaround configuration is available starting in version 3.88.0, but the product remains vulnerable by default."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T22:29:09.256Z",
"orgId": "103e4ec9-0a87-450b-af77-479448ddef11",
"shortName": "Sonatype"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://support.sonatype.com/hc/en-us/articles/47928855816595"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Nexus Repository 3 - Server-Side Request Forgery in Proxy Repository Configuration",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eStarting in version 3.88.0, administrators can configure the private network validation setting to block proxy repositories from accessing private network destinations. Cloud metadata endpoints (169.254.169.254) are always blocked regardless of configuration. See the security documentation at \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://help.sonatype.com/en/securing-nexus-repository-manager.html\"\u003ehttps://help.sonatype.com/en/securing-nexus-repository-manager.html\u003c/a\u003e for detailed configuration steps.\u003c/p\u003e"
}
],
"value": "Starting in version 3.88.0, administrators can configure the private network validation setting to block proxy repositories from accessing private network destinations. Cloud metadata endpoints (169.254.169.254) are always blocked regardless of configuration. See the security documentation at https://help.sonatype.com/en/securing-nexus-repository-manager.html for detailed configuration steps."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "103e4ec9-0a87-450b-af77-479448ddef11",
"assignerShortName": "Sonatype",
"cveId": "CVE-2026-0600",
"datePublished": "2026-01-14T22:29:09.256Z",
"dateReserved": "2026-01-05T12:59:19.155Z",
"dateUpdated": "2026-01-15T14:51:42.898Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0632 (GCVE-0-2026-0632)
Vulnerability from cvelistv5 – Published: 2026-02-09 11:22 – Updated: 2026-04-08 17:34
VLAI
Title
Fluent Forms Pro Add On Pack <= 6.1.12 - Authenticated (Subscriber+) Server-Side Request Forgery via 'saveDataSource'
Summary
The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.1.12 via the 'saveDataSource' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| techjewel | Fluent Forms Pro Add On Pack |
Affected:
0 , ≤ 6.1.12
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0632",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-09T13:21:53.159076Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T13:22:06.701Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Fluent Forms Pro Add On Pack",
"vendor": "techjewel",
"versions": [
{
"lessThanOrEqual": "6.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "andrea bocchetti"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.1.12 via the \u0027saveDataSource\u0027 function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:34:55.867Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fd3bf470-f966-454d-8df3-0dec4682e883?source=cve"
},
{
"url": "https://fluentforms.com/docs/changelog/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-06T00:40:32.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-02-08T22:49:11.000Z",
"value": "Disclosed"
}
],
"title": "Fluent Forms Pro Add On Pack \u003c= 6.1.12 - Authenticated (Subscriber+) Server-Side Request Forgery via \u0027saveDataSource\u0027"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-0632",
"datePublished": "2026-02-09T11:22:35.952Z",
"dateReserved": "2026-01-06T00:21:53.194Z",
"dateUpdated": "2026-04-08T17:34:55.867Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0649 (GCVE-0-2026-0649)
Vulnerability from cvelistv5 – Published: 2026-01-07 00:32 – Updated: 2026-02-23 08:22
VLAI
Title
invoiceninja Migration Import Import.php copy server-side request forgery
Summary
A security vulnerability has been detected in invoiceninja up to 5.12.38. The affected element is the function copy of the file /app/Jobs/Util/Import.php of the component Migration Import. The manipulation of the argument company_logo leads to server-side request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.339720 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.339720 | signaturepermissions-required |
| https://vuldb.com/?submit.721323 | third-party-advisory |
| https://note-hxlab.wetolink.com/share/fWqEpn5fX4rH | exploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | invoiceninja |
Affected:
5.12.0
Affected: 5.12.1 Affected: 5.12.2 Affected: 5.12.3 Affected: 5.12.4 Affected: 5.12.5 Affected: 5.12.6 Affected: 5.12.7 Affected: 5.12.8 Affected: 5.12.9 Affected: 5.12.10 Affected: 5.12.11 Affected: 5.12.12 Affected: 5.12.13 Affected: 5.12.14 Affected: 5.12.15 Affected: 5.12.16 Affected: 5.12.17 Affected: 5.12.18 Affected: 5.12.19 Affected: 5.12.20 Affected: 5.12.21 Affected: 5.12.22 Affected: 5.12.23 Affected: 5.12.24 Affected: 5.12.25 Affected: 5.12.26 Affected: 5.12.27 Affected: 5.12.28 Affected: 5.12.29 Affected: 5.12.30 Affected: 5.12.31 Affected: 5.12.32 Affected: 5.12.33 Affected: 5.12.34 Affected: 5.12.35 Affected: 5.12.36 Affected: 5.12.37 Affected: 5.12.38 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0649",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-07T14:27:52.863067Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-07T14:28:45.081Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Migration Import"
],
"product": "invoiceninja",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "5.12.0"
},
{
"status": "affected",
"version": "5.12.1"
},
{
"status": "affected",
"version": "5.12.2"
},
{
"status": "affected",
"version": "5.12.3"
},
{
"status": "affected",
"version": "5.12.4"
},
{
"status": "affected",
"version": "5.12.5"
},
{
"status": "affected",
"version": "5.12.6"
},
{
"status": "affected",
"version": "5.12.7"
},
{
"status": "affected",
"version": "5.12.8"
},
{
"status": "affected",
"version": "5.12.9"
},
{
"status": "affected",
"version": "5.12.10"
},
{
"status": "affected",
"version": "5.12.11"
},
{
"status": "affected",
"version": "5.12.12"
},
{
"status": "affected",
"version": "5.12.13"
},
{
"status": "affected",
"version": "5.12.14"
},
{
"status": "affected",
"version": "5.12.15"
},
{
"status": "affected",
"version": "5.12.16"
},
{
"status": "affected",
"version": "5.12.17"
},
{
"status": "affected",
"version": "5.12.18"
},
{
"status": "affected",
"version": "5.12.19"
},
{
"status": "affected",
"version": "5.12.20"
},
{
"status": "affected",
"version": "5.12.21"
},
{
"status": "affected",
"version": "5.12.22"
},
{
"status": "affected",
"version": "5.12.23"
},
{
"status": "affected",
"version": "5.12.24"
},
{
"status": "affected",
"version": "5.12.25"
},
{
"status": "affected",
"version": "5.12.26"
},
{
"status": "affected",
"version": "5.12.27"
},
{
"status": "affected",
"version": "5.12.28"
},
{
"status": "affected",
"version": "5.12.29"
},
{
"status": "affected",
"version": "5.12.30"
},
{
"status": "affected",
"version": "5.12.31"
},
{
"status": "affected",
"version": "5.12.32"
},
{
"status": "affected",
"version": "5.12.33"
},
{
"status": "affected",
"version": "5.12.34"
},
{
"status": "affected",
"version": "5.12.35"
},
{
"status": "affected",
"version": "5.12.36"
},
{
"status": "affected",
"version": "5.12.37"
},
{
"status": "affected",
"version": "5.12.38"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "gets (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security vulnerability has been detected in invoiceninja up to 5.12.38. The affected element is the function copy of the file /app/Jobs/Util/Import.php of the component Migration Import. The manipulation of the argument company_logo leads to server-side request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5.8,
"vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "Server-Side Request Forgery",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-23T08:22:03.166Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-339720 | invoiceninja Migration Import Import.php copy server-side request forgery",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.339720"
},
{
"name": "VDB-339720 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.339720"
},
{
"name": "Submit #721323 | invoiceninja \u003c= 5.12.38. ssrf",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.721323"
},
{
"tags": [
"exploit"
],
"url": "https://note-hxlab.wetolink.com/share/fWqEpn5fX4rH"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-06T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-01-06T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-01-08T10:11:19.000Z",
"value": "VulDB entry last update"
}
],
"title": "invoiceninja Migration Import Import.php copy server-side request forgery"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-0649",
"datePublished": "2026-01-07T00:32:07.531Z",
"dateReserved": "2026-01-06T16:20:31.689Z",
"dateUpdated": "2026-02-23T08:22:03.166Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0682 (GCVE-0-2026-0682)
Vulnerability from cvelistv5 – Published: 2026-01-17 03:24 – Updated: 2026-04-08 17:01
VLAI
Title
Church Admin <= 5.0.28 - Authenticated (Administrator+) Blind Server-Side Request Forgery via 'audio_url' Parameter
Summary
The Church Admin plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.28 due to insufficient validation of user-supplied URLs in the 'audio_url' parameter. This makes it possible for authenticated attackers, with Administrator-level access, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
6 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| andy_moyle | Church Admin |
Affected:
0 , ≤ 5.0.28
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0682",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T18:47:43.198878Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T19:23:48.794Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Church Admin",
"vendor": "andy_moyle",
"versions": [
{
"lessThanOrEqual": "5.0.28",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Phap Nguyen Anh"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Church Admin plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.28 due to insufficient validation of user-supplied URLs in the \u0027audio_url\u0027 parameter. This makes it possible for authenticated attackers, with Administrator-level access, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 2.2,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:01:39.665Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/77227fc5-7c38-476d-af4c-4b2ad3dd8420?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/church-admin/trunk/includes/sermon-podcast.php#L1181"
},
{
"url": "https://plugins.trac.wordpress.org/browser/church-admin/tags/5.0.27/includes/sermon-podcast.php#L1181"
},
{
"url": "https://plugins.trac.wordpress.org/browser/church-admin/trunk/includes/functions.php#L6297"
},
{
"url": "https://plugins.trac.wordpress.org/browser/church-admin/tags/5.0.27/includes/functions.php#L6297"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3440847%40church-admin\u0026new=3440847%40church-admin\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-08T22:21:35.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-16T14:51:20.000Z",
"value": "Disclosed"
}
],
"title": "Church Admin \u003c= 5.0.28 - Authenticated (Administrator+) Blind Server-Side Request Forgery via \u0027audio_url\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-0682",
"datePublished": "2026-01-17T03:24:24.110Z",
"dateReserved": "2026-01-07T18:03:26.237Z",
"dateUpdated": "2026-04-08T17:01:39.665Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0686 (GCVE-0-2026-0686)
Vulnerability from cvelistv5 – Published: 2026-04-02 07:39 – Updated: 2026-04-08 16:34
VLAI
Title
Webmention <= 5.6.2 - Unauthenticated Blind Server-Side Request Forgery
Summary
The Webmention plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.6.2 in the 'MF2::parse_authorpage' function via the 'Receiver::post' function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Severity
7.2 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| pfefferle | Webmention |
Affected:
0 , ≤ 5.6.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0686",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-02T13:44:33.774838Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T13:45:20.365Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Webmention",
"vendor": "pfefferle",
"versions": [
{
"lessThanOrEqual": "5.6.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Duong Quang Hao"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Webmention plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.6.2 in the \u0027MF2::parse_authorpage\u0027 function via the \u0027Receiver::post\u0027 function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:34:21.028Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/08d15c46-d15f-4803-80be-90bf33335c18?source=cve"
},
{
"url": "https://github.com/pfefferle/wordpress-webmention/blob/057223cee18a9e93b017d0f21db6ea77a7686489/includes/handler/class-mf2.php#L878"
},
{
"url": "https://plugins.trac.wordpress.org/browser/webmention/tags/5.6.2/includes/handler/class-mf2.php#L877"
},
{
"url": "https://plugins.trac.wordpress.org/browser/webmention/tags/5.6.2/includes/class-receiver.php#L260"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3494831/webmention"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-07T19:33:54.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-04-01T19:17:15.000Z",
"value": "Disclosed"
}
],
"title": "Webmention \u003c= 5.6.2 - Unauthenticated Blind Server-Side Request Forgery"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-0686",
"datePublished": "2026-04-02T07:39:35.655Z",
"dateReserved": "2026-01-07T19:18:17.788Z",
"dateUpdated": "2026-04-08T16:34:21.028Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0688 (GCVE-0-2026-0688)
Vulnerability from cvelistv5 – Published: 2026-04-02 07:39 – Updated: 2026-04-08 16:32
VLAI
Title
Webmention <= 5.6.2 - Authenticated (Subscriber+) Server-Side Request Forgery
Summary
The Webmention plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.6.2 via the 'Tools::read' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| pfefferle | Webmention |
Affected:
0 , ≤ 5.6.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0688",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-02T13:23:17.279236Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T13:32:05.134Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Webmention",
"vendor": "pfefferle",
"versions": [
{
"lessThanOrEqual": "5.6.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Duong Quang Hao"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Webmention plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.6.2 via the \u0027Tools::read\u0027 function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:32:45.483Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/02c9beba-dfa5-4a30-8355-62ff9a2630f7?source=cve"
},
{
"url": "https://github.com/pfefferle/wordpress-webmention/blob/057223cee18a9e93b017d0f21db6ea77a7686489/includes/class-tools.php#L81"
},
{
"url": "https://plugins.trac.wordpress.org/browser/webmention/tags/5.6.2/includes/class-tools.php#L81"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3494831/webmention"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-07T19:46:32.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-04-01T19:17:16.000Z",
"value": "Disclosed"
}
],
"title": "Webmention \u003c= 5.6.2 - Authenticated (Subscriber+) Server-Side Request Forgery"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-0688",
"datePublished": "2026-04-02T07:39:34.999Z",
"dateReserved": "2026-01-07T19:31:01.518Z",
"dateUpdated": "2026-04-08T16:32:45.483Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0745 (GCVE-0-2026-0745)
Vulnerability from cvelistv5 – Published: 2026-02-14 06:42 – Updated: 2026-04-16 13:53
VLAI
Title
User Language Switch <= 1.6.10 - Authenticated (Administrator+) Server-Side Request Forgery via 'info_language' Parameter
Summary
The User Language Switch plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.6.10 due to missing URL validation on the 'download_language()' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Severity
5.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| webilop | User Language Switch |
Affected:
0 , ≤ 1.6.10
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0745",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-16T13:52:58.344894Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-16T13:53:08.235Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "User Language Switch",
"vendor": "webilop",
"versions": [
{
"lessThanOrEqual": "1.6.10",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Bhumividh Treloges"
}
],
"descriptions": [
{
"lang": "en",
"value": "The User Language Switch plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.6.10 due to missing URL validation on the \u0027download_language()\u0027 function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:51:31.409Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4d8d15be-6a7b-485e-a338-ccf1a6eb226c?source=cve"
},
{
"url": "https://downloads.wordpress.org/plugin/user-language-switch.zip"
},
{
"url": "https://wordpress.org/plugins/user-language-switch/"
},
{
"url": "https://plugins.trac.wordpress.org/browser/user-language-switch/trunk/uls-options.php#L451"
},
{
"url": "https://plugins.trac.wordpress.org/browser/user-language-switch/tags/1.6.10/uls-options.php#L451"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-13T18:30:57.000Z",
"value": "Disclosed"
}
],
"title": "User Language Switch \u003c= 1.6.10 - Authenticated (Administrator+) Server-Side Request Forgery via \u0027info_language\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-0745",
"datePublished": "2026-02-14T06:42:27.887Z",
"dateReserved": "2026-01-08T18:43:02.867Z",
"dateUpdated": "2026-04-16T13:53:08.235Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0746 (GCVE-0-2026-0746)
Vulnerability from cvelistv5 – Published: 2026-01-27 18:27 – Updated: 2026-04-08 17:23
VLAI
Title
AI Engine <= 3.3.2 - Authenticated (Subscriber+) Server-Side Request Forgery
Summary
The AI Engine plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.3.2 via the 'get_audio' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services, if "Public API" is enabled in the plugin settings, and 'allow_url_fopen' is set to 'On' on the server.
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| tigroumeow | AI Engine – The Chatbot, AI Framework & MCP for WordPress |
Affected:
0 , ≤ 3.3.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0746",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T14:05:46.546803Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T14:11:11.277Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "AI Engine \u2013 The Chatbot, AI Framework \u0026 MCP for WordPress",
"vendor": "tigroumeow",
"versions": [
{
"lessThanOrEqual": "3.3.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "M Indra Purnama"
}
],
"descriptions": [
{
"lang": "en",
"value": "The AI Engine plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.3.2 via the \u0027get_audio\u0027 function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services, if \"Public API\" is enabled in the plugin settings, and \u0027allow_url_fopen\u0027 is set to \u0027On\u0027 on the server."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:23:35.066Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cbba866d-93dd-4ef5-9670-ab958f61f06e?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ai-engine/tags/3.3.1/classes/engines/chatml.php#L946"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3447500/ai-engine/trunk/classes/engines/chatml.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-08T19:24:35.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-27T06:06:34.000Z",
"value": "Disclosed"
}
],
"title": "AI Engine \u003c= 3.3.2 - Authenticated (Subscriber+) Server-Side Request Forgery"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-0746",
"datePublished": "2026-01-27T18:27:55.920Z",
"dateReserved": "2026-01-08T19:06:51.188Z",
"dateUpdated": "2026-04-08T17:23:35.066Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
No mitigation information available for this CWE.
CAPEC-664: Server Side Request Forgery
An adversary exploits improper input validation by submitting maliciously crafted input to a target application running on a server, with the goal of forcing the server to make a request either to itself, to web services running in the server’s internal network, or to external third parties. If successful, the adversary’s request will be made with the server’s privilege level, bypassing its authentication controls. This ultimately allows the adversary to access sensitive data, execute commands on the server’s network, and make external requests with the stolen identity of the server. Server Side Request Forgery attacks differ from Cross Site Request Forgery attacks in that they target the server itself, whereas CSRF attacks exploit an insecure user authentication mechanism to perform unauthorized actions on the user's behalf.