{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25123", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-29T14:03:42.539Z", "datePublished": "2026-02-06T21:19:40.212Z", "dateUpdated": "2026-02-09T15:27:03.275Z"}, "containers": {"cna": {"title": "Homarr affected by Unauthenticated SSRF / Port-Scan Primitive via widget.app.ping", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/homarr-labs/homarr/security/advisories/GHSA-c6rh-8wj4-gv74", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/homarr-labs/homarr/security/advisories/GHSA-c6rh-8wj4-gv74"}], "affected": [{"vendor": "homarr-labs", "product": "homarr", "versions": [{"version": "< 1.52.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-06T21:19:40.212Z"}, "descriptions": [{"lang": "en", "value": "Homarr is an open-source dashboard. Prior to 1.52.0, a public (unauthenticated) tRPC endpoint widget.app.ping accepts an arbitrary url and performs a server-side request to that URL. This allows an unauthenticated attacker to trigger outbound HTTP requests from the Homarr server, enabling SSRF behavior and a reliable port-scanning primitive (open vs closed ports can be inferred from statusCode vs fetch failed and timing). This vulnerability is fixed in 1.52.0."}], "source": {"advisory": "GHSA-c6rh-8wj4-gv74", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-09T15:21:56.201226Z", "id": "CVE-2026-25123", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-09T15:27:03.275Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25123", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-09T15:21:56.201226Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-09T15:21:56.929Z"}}], "cna": {"title": "Homarr affected by Unauthenticated SSRF / Port-Scan Primitive via widget.app.ping", "source": {"advisory": "GHSA-c6rh-8wj4-gv74", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "homarr-labs", "product": "homarr", "versions": [{"status": "affected", "version": "< 1.52.0"}]}], "references": [{"url": "https://github.com/homarr-labs/homarr/security/advisories/GHSA-c6rh-8wj4-gv74", "name": "https://github.com/homarr-labs/homarr/security/advisories/GHSA-c6rh-8wj4-gv74", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Homarr is an open-source dashboard. Prior to 1.52.0, a public (unauthenticated) tRPC endpoint widget.app.ping accepts an arbitrary url and performs a server-side request to that URL. This allows an unauthenticated attacker to trigger outbound HTTP requests from the Homarr server, enabling SSRF behavior and a reliable port-scanning primitive (open vs closed ports can be inferred from statusCode vs fetch failed and timing). This vulnerability is fixed in 1.52.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-06T21:19:40.212Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25123", "state": "PUBLISHED", "dateUpdated": "2026-02-09T15:27:03.275Z", "dateReserved": "2026-01-29T14:03:42.539Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-06T21:19:40.212Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:homarr:homarr:*:*:*:*:*:*:*:*", "matchCriteriaId": "A87B1EAB-AF23-4E1E-A33B-D84AA170D817", "versionEndExcluding": "1.52.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Homarr is an open-source dashboard. Prior to 1.52.0, a public (unauthenticated) tRPC endpoint widget.app.ping accepts an arbitrary url and performs a server-side request to that URL. This allows an unauthenticated attacker to trigger outbound HTTP requests from the Homarr server, enabling SSRF behavior and a reliable port-scanning primitive (open vs closed ports can be inferred from statusCode vs fetch failed and timing). This vulnerability is fixed in 1.52.0."}, {"lang": "es", "value": "Homarr es un panel de control de c\u00f3digo abierto. Antes de la versi\u00f3n 1.52.0, un endpoint tRPC p\u00fablico (no autenticado) widget.app.ping acepta una URL arbitraria y realiza una solicitud del lado del servidor a esa URL. Esto permite a un atacante no autenticado activar solicitudes HTTP salientes desde el servidor de Homarr, lo que habilita el comportamiento SSRF y una primitiva fiable de escaneo de puertos (los puertos abiertos frente a los cerrados pueden inferirse del c\u00f3digo de estado frente a la falla de la solicitud y el tiempo). Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 1.52.0."}], "id": "CVE-2026-25123", "lastModified": "2026-02-18T18:08:19.073", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-06T22:16:11.153", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/homarr-labs/homarr/security/advisories/GHSA-c6rh-8wj4-gv74"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-17T22:22:45.074032+00:00", "value": {"mitigation_remediation": ["Upgrade Homarr to version 1.52.0 or later to remove the vulnerable endpoint.", "Configure the host firewall or security group to restrict outbound HTTP/HTTPS traffic from the Homarr server, limiting potential SSRF reach.", "If an upgrade is not immediately possible, disable the widget.app.ping endpoint or apply an application\u2011level rule to block external HTTP requests from this route."], "summary": {"action": "Apply Patch", "impact": "Server\u2011Side Request Forgery (SSRF) and port\u2011scanning via public widget.app.ping endpoint"}, "threat_synthesis": {"affected_systems": "This issue impacts Homarr dashboards running any version before 1.52.0. All installations of homarr-labs:homarr that have not been upgraded to at least 1.52.0 are susceptible.", "description_and_impact": "The Homarr dashboard allowed any unauthenticated user to query the widget.app.ping tRPC endpoint with an arbitrary URL. The server then performed an outbound HTTP request to that URL, providing the attacker with the ability to direct all outbound traffic from the Homarr instance. This results in SSRF, enabling the attacker to reach internal or restricted resources, and a reliable port\u2011scanning primitive through response status codes and fetch failures. The vulnerability could lead to information disclosure, network reconnaissance, or further exploitation of reachable services, with limited privileges confined to the host running Homarr.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity. The EPSS score is reported as <1%, suggesting a low current probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers can reach the widget.app.ping endpoint without authentication, likely exposing it through a public network or internal network where the Homarr instance is reachable. Once accessed, the attacker supplies a crafted URL, triggering an outbound request from the server. The method of discerning open or closed ports via status code or timing implies that the attack can be performed programmatically for reconnaissance or other malicious objectives."}}}}, "created": "2026-02-09T10:50:20.217434+00:00", "updated": "2026-04-17T22:30:29.592364+00:00", "vendors": ["homarr-labs", "homarr-labs$PRODUCT$homarr"]}