{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41172", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-17T16:34:45.525Z", "datePublished": "2026-04-22T21:22:55.727Z", "dateUpdated": "2026-04-23T12:52:16.717Z"}, "containers": {"cna": {"title": "Squidex vulnerable to Server-Side Request Forgery (SSRF) via URL-based asset upload (/api/apps/{app}/assets)", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/Squidex/squidex/security/advisories/GHSA-x7cq-4f4c-8qcv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Squidex/squidex/security/advisories/GHSA-x7cq-4f4c-8qcv"}, {"name": "https://github.com/Squidex/squidex/commit/b81d75e1d9c1a8e30993c2ee59b350002b9aeda4", "tags": ["x_refsource_MISC"], "url": "https://github.com/Squidex/squidex/commit/b81d75e1d9c1a8e30993c2ee59b350002b9aeda4"}], "affected": [{"vendor": "Squidex", "product": "squidex", "versions": [{"version": "< 7.23.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-22T21:22:55.727Z"}, "descriptions": [{"lang": "en", "value": "Squidex is an open source headless content management system and content management hub. Prior to version 7.23.0, an SSRF vulnerability allows a user with asset upload permission to force the server to fetch arbitrary URLs, including localhost/private network targets, and persist the response as an asset. Version 7.23.0 contains a fix."}], "source": {"advisory": "GHSA-x7cq-4f4c-8qcv", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/Squidex/squidex/security/advisories/GHSA-x7cq-4f4c-8qcv", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-23T12:52:12.099562Z", "id": "CVE-2026-41172", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T12:52:16.717Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41172", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-23T12:52:12.099562Z"}}}], "references": [{"url": "https://github.com/Squidex/squidex/security/advisories/GHSA-x7cq-4f4c-8qcv", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T12:51:34.806Z"}}], "cna": {"title": "Squidex vulnerable to Server-Side Request Forgery (SSRF) via URL-based asset upload (/api/apps/{app}/assets)", "source": {"advisory": "GHSA-x7cq-4f4c-8qcv", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Squidex", "product": "squidex", "versions": [{"status": "affected", "version": "< 7.23.0"}]}], "references": [{"url": "https://github.com/Squidex/squidex/security/advisories/GHSA-x7cq-4f4c-8qcv", "name": "https://github.com/Squidex/squidex/security/advisories/GHSA-x7cq-4f4c-8qcv", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Squidex/squidex/commit/b81d75e1d9c1a8e30993c2ee59b350002b9aeda4", "name": "https://github.com/Squidex/squidex/commit/b81d75e1d9c1a8e30993c2ee59b350002b9aeda4", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Squidex is an open source headless content management system and content management hub. Prior to version 7.23.0, an SSRF vulnerability allows a user with asset upload permission to force the server to fetch arbitrary URLs, including localhost/private network targets, and persist the response as an asset. Version 7.23.0 contains a fix."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-22T21:22:55.727Z"}}}, "cveMetadata": {"cveId": "CVE-2026-41172", "state": "PUBLISHED", "dateUpdated": "2026-04-23T12:52:16.717Z", "dateReserved": "2026-04-17T16:34:45.525Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-22T21:22:55.727Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Squidex is an open source headless content management system and content management hub. Prior to version 7.23.0, an SSRF vulnerability allows a user with asset upload permission to force the server to fetch arbitrary URLs, including localhost/private network targets, and persist the response as an asset. Version 7.23.0 contains a fix."}], "id": "CVE-2026-41172", "lastModified": "2026-04-24T14:45:24.803", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-22T22:16:31.690", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/Squidex/squidex/commit/b81d75e1d9c1a8e30993c2ee59b350002b9aeda4"}, {"source": "security-advisories@github.com", "url": "https://github.com/Squidex/squidex/security/advisories/GHSA-x7cq-4f4c-8qcv"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/Squidex/squidex/security/advisories/GHSA-x7cq-4f4c-8qcv"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.23.0)"}}], "enrichment": {"confidence": 91.0, "confidence_source": "matching", "scores": [{"score": 91.0, "source": "matching"}]}, "original": {"product": "squidex", "source": "cna", "vendor": "Squidex"}, "product": "squidex", "vendor": "squidex.io"}], "analysis": {"en": {"generated_at": "2026-04-27T08:22:04.128968+00:00", "value": {"mitigation_remediation": ["Upgrade Squidex to version 7.23.0 or later to apply the fix for the SSRF vulnerability.", "If upgrading is not immediately possible, limit asset upload permissions to only trusted users and enforce strict authorization checks for the upload endpoint.", "Configure network controls or outbound request filtering on the Squidex host to block requests to internal or restricted IP ranges, mitigating the effect of the SSRF."], "summary": {"action": "Apply Patch", "impact": "Server\u2011Side Request Forgery"}, "threat_synthesis": {"affected_systems": "Squidex Squidex \u2013 the open\u2011source headless content management system. Versions older than 7.23.0 are affected when the asset upload feature is enabled for a user. The vulnerability requires the user to have permission to upload assets.", "description_and_impact": "An SSRF flaw exists when uploading assets via the URL-based asset upload endpoint. A user holding asset upload permission can instruct the Squidex server to fetch any target URL, including internal or local addresses, and save the response as an asset. This can lead to the server making arbitrary outbound HTTP requests, potentially exposing internal network resources and leaking sensitive data, though the flaw does not provide direct code execution or command execution capabilities.", "risk_and_exploitability": "The CVSS score of 7.3 indicates a high severity vulnerability. The EPSS score is not available, and the issue is not listed in CISA\u2019s KEV catalog. Exploitation requires a legitimate user account with asset upload capability; the attacker can trigger outbound requests to arbitrary URLs, including internal services. While the flaw cannot directly grant code execution, it enables the server to access private networks and persist external data, posing significant security risk."}}}}, "created": "2026-04-27T18:42:00.076974+00:00", "updated": "2026-04-27T20:15:12.109016+00:00", "vendors": ["squidex.io", "squidex.io$PRODUCT$squidex"]}