{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25870", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-02-06T19:12:03.464Z", "datePublished": "2026-02-10T22:16:28.212Z", "dateUpdated": "2026-04-07T17:17:28.735Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-07T17:17:28.735Z"}, "title": "DoraCMS <= 3.1 UEditor Remote Image Fetch SSRF", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "affected": [{"vendor": "doramart", "product": "DoraCMS", "repo": "https://github.com/doramart/DoraCMS", "versions": [{"status": "affected", "version": "0", "lessThanOrEqual": "3.1.0", "versionType": "semver"}], "defaultStatus": "unknown"}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:html-js:doracms:*:*:*:*:*:*:*:*", "versionEndIncluding": "3.1"}]}]}], "descriptions": [{"lang": "en", "value": "DoraCMS version 3.1 and prior contains a server-side request forgery (SSRF) vulnerability in its UEditor remote image fetch functionality. The application accepts user-supplied URLs and performs server-side HTTP or HTTPS requests without sufficient validation or destination restrictions. The implementation does not enforce allowlists, block internal or private IP address ranges, or apply request timeouts or response size limits. An attacker can abuse this behavior to induce the server to issue outbound requests to arbitrary hosts, including internal network resources, potentially enabling internal network scanning and denial of service through resource exhaustion.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "DoraCMS version 3.1 and prior contains a server-side request forgery (SSRF) vulnerability in its UEditor remote image fetch functionality. The application accepts user-supplied URLs and performs server-side HTTP or HTTPS requests without sufficient validation or destination restrictions. The implementation does not enforce allowlists, block internal or private IP address ranges, or apply request timeouts or response size limits. An attacker can abuse this behavior to induce the server to issue outbound requests to arbitrary hosts, including internal network resources, potentially enabling internal network scanning and denial of service through resource exhaustion."}]}], "references": [{"url": "https://github.com/doramart/DoraCMS/issues/268", "tags": ["issue-tracking"]}, {"url": "https://www.doracms.net/", "tags": ["product"]}, {"url": "https://www.vulncheck.com/advisories/doracms-ueditor-remote-image-fetch-ssrf", "tags": ["third-party-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "subIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 5.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N"}}], "credits": [{"lang": "en", "value": "Lennon Chia", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"references": [{"url": "https://github.com/doramart/DoraCMS/issues/268", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-11T21:43:04.660522Z", "id": "CVE-2026-25870", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-11T21:43:08.107Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25870", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-11T21:43:04.660522Z"}}}], "references": [{"url": "https://github.com/doramart/DoraCMS/issues/268", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-11T21:42:55.844Z"}}], "cna": {"title": "DoraCMS <= 3.1 UEditor Remote Image Fetch SSRF", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Lennon Chia"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/doramart/DoraCMS", "vendor": "doramart", "product": "DoraCMS", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.1.0"}], "defaultStatus": "unknown"}], "references": [{"url": "https://github.com/doramart/DoraCMS/issues/268", "tags": ["issue-tracking"]}, {"url": "https://www.doracms.net/", "tags": ["product"]}, {"url": "https://www.vulncheck.com/advisories/doracms-ueditor-remote-image-fetch-ssrf", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "DoraCMS version 3.1 and prior contains a server-side request forgery (SSRF) vulnerability in its UEditor remote image fetch functionality. The application accepts user-supplied URLs and performs server-side HTTP or HTTPS requests without sufficient validation or destination restrictions. The implementation does not enforce allowlists, block internal or private IP address ranges, or apply request timeouts or response size limits. An attacker can abuse this behavior to induce the server to issue outbound requests to arbitrary hosts, including internal network resources, potentially enabling internal network scanning and denial of service through resource exhaustion.", "supportingMedia": [{"type": "text/html", "value": "DoraCMS version 3.1 and prior contains a server-side request forgery (SSRF) vulnerability in its UEditor remote image fetch functionality. The application accepts user-supplied URLs and performs server-side HTTP or HTTPS requests without sufficient validation or destination restrictions. The implementation does not enforce allowlists, block internal or private IP address ranges, or apply request timeouts or response size limits. An attacker can abuse this behavior to induce the server to issue outbound requests to arbitrary hosts, including internal network resources, potentially enabling internal network scanning and denial of service through resource exhaustion.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:html-js:doracms:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "3.1"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-07T17:17:28.735Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25870", "state": "PUBLISHED", "dateUpdated": "2026-04-07T17:17:28.735Z", "dateReserved": "2026-02-06T19:12:03.464Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-02-10T22:16:28.212Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "DoraCMS version 3.1 and prior contains a server-side request forgery (SSRF) vulnerability in its UEditor remote image fetch functionality. The application accepts user-supplied URLs and performs server-side HTTP or HTTPS requests without sufficient validation or destination restrictions. The implementation does not enforce allowlists, block internal or private IP address ranges, or apply request timeouts or response size limits. An attacker can abuse this behavior to induce the server to issue outbound requests to arbitrary hosts, including internal network resources, potentially enabling internal network scanning and denial of service through resource exhaustion."}, {"lang": "es", "value": "DoraCMS versi\u00f3n 3.1 y anteriores contiene una vulnerabilidad de falsificaci\u00f3n de petici\u00f3n del lado del servidor (SSRF) en su funcionalidad de obtenci\u00f3n remota de im\u00e1genes de UEditor. La aplicaci\u00f3n acepta URLs proporcionadas por el usuario y realiza peticiones HTTP o HTTPS del lado del servidor sin validaci\u00f3n suficiente o restricciones de destino. La implementaci\u00f3n no aplica listas de permitidos, bloquea rangos de direcci\u00f3n IP internas o privadas, ni aplica tiempos de espera de petici\u00f3n o l\u00edmites de tama\u00f1o de respuesta. Un atacante puede abusar de este comportamiento para inducir al servidor a emitir peticiones salientes a hosts arbitrarios, incluyendo recursos de red internos, lo que podr\u00eda permitir el escaneo de red interno y la denegaci\u00f3n de servicio por agotamiento de recursos."}], "id": "CVE-2026-25870", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "disclosure@vulncheck.com", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-02-10T23:16:16.287", "references": [{"source": "disclosure@vulncheck.com", "url": "https://github.com/doramart/DoraCMS/issues/268"}, {"source": "disclosure@vulncheck.com", "url": "https://www.doracms.net/"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/doracms-ueditor-remote-image-fetch-ssrf"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/doramart/DoraCMS/issues/268"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "disclosure@vulncheck.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,3.1]"}}], "product": "doracms", "vendor": "doramart"}], "analysis": {"en": {"generated_at": "2026-04-15T21:14:51.051875+00:00", "value": {"mitigation_remediation": ["Upgrade to a version of DoraCMS newer than 3.1 or apply the vendor\u2019s patch to restrict outbound image fetch calls and enforce allowlists.", "If immediate upgrade is not possible, block or restrict the web server\u2019s outbound HTTP/HTTPS connections to internal IP ranges using firewall rules or a proxy to limit the reach of any SSRF calls.", "Disable or remove the UEditor remote image fetch functionality from the application configuration to eliminate the attack surface.", "Enforce stricter input validation for the image URL endpoint, adding an allowlist, blocking private IP ranges, and imposing timeouts or size limits on requests."], "summary": {"action": "Apply Patch", "impact": "Server Side Request Forgery"}, "threat_synthesis": {"affected_systems": "Vendors: Doramart. Product: DoraCMS. Affected versions: 3.1 and all earlier releases.", "description_and_impact": "The vulnerability is an SSRF flaw present in the UEditor remote image fetch feature of DoraCMS versions 3.1 and earlier. The application takes a user\u2011supplied URL, fetches the image via an outbound HTTP or HTTPS request, and returns the response without checking the target address or applying restrictions. Due to this lack of validation, an attacker can cause the server to query arbitrary hosts, including internal network services, and can configure the request to exhaust resources or bypass firewall rules. The flaw is classified as CWE\u2011918 and could lead to information disclosure or denial of service.", "risk_and_exploitability": "This flaw carries a CVSS score of 6.9, indicating a medium severity impact, and the EPSS score is less than 1%, suggesting a low likelihood of exploitation at the time of assessment. The vulnerability is not listed in the CISA KEV catalog, meaning no known widespread exploitation has been reported. An attacker can abuse the flaw by sending a malicious URL through the UEditor remote image fetch endpoint; the server then performs an outbound request to the specified address. Because the request is not filtered, the attacker can target internal IP ranges, scan for services, or cause resource exhaustion. The attack requires only that the target system accepts the request, making it feasible for a remote adversary with internet access to trigger the SSRF."}}}}, "created": "2026-02-11T21:46:24.624882+00:00", "updated": "2026-04-15T21:15:13.591287+00:00", "vendors": ["doramart", "doramart$PRODUCT$doracms"]}