Search criteria
3 vulnerabilities by mosparo
CVE-2026-41195 (GCVE-0-2026-41195)
Vulnerability from cvelistv5 – Published: 2026-05-12 21:24 – Updated: 2026-05-18 14:51
VLAI
Title
mosparo: Rule package source URL stored SSRF enables internal HTTP probing
Summary
mosparo is the modern solution to protect your online forms from spam. Prior to 1.4.13, the automatic rule package source URL feature allows a project member with the editor role to store an attacker-controlled URL that the server later fetches. Because the server follows http/https redirects and does not restrict private or loopback destinations, this becomes a stored SSRF primitive that can be turned into an internal HTTP probing oracle. This vulnerability is fixed in 1.4.13.
Severity
5 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/mosparo/mosparo/security/advis… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41195",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-18T14:51:30.964891Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-18T14:51:58.248Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/mosparo/mosparo/security/advisories/GHSA-92fh-26qf-r8rg"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mosparo",
"vendor": "mosparo",
"versions": [
{
"status": "affected",
"version": "\u003c 1.4.13"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "mosparo is the modern solution to protect your online forms from spam. Prior to 1.4.13, the automatic rule package source URL feature allows a project member with the editor role to store an attacker-controlled URL that the server later fetches. Because the server follows http/https redirects and does not restrict private or loopback destinations, this becomes a stored SSRF primitive that can be turned into an internal HTTP probing oracle. This vulnerability is fixed in 1.4.13."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T21:24:35.643Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mosparo/mosparo/security/advisories/GHSA-92fh-26qf-r8rg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mosparo/mosparo/security/advisories/GHSA-92fh-26qf-r8rg"
}
],
"source": {
"advisory": "GHSA-92fh-26qf-r8rg",
"discovery": "UNKNOWN"
},
"title": "mosparo: Rule package source URL stored SSRF enables internal HTTP probing"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41195",
"datePublished": "2026-05-12T21:24:35.643Z",
"dateReserved": "2026-04-18T02:51:52.973Z",
"dateUpdated": "2026-05-18T14:51:58.248Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-5687 (GCVE-0-2023-5687)
Vulnerability from cvelistv5 – Published: 2023-10-20 16:22 – Updated: 2024-09-11 18:35
VLAI
Title
Cross-Site Request Forgery (CSRF) in mosparo/mosparo
Summary
Cross-Site Request Forgery (CSRF) in GitHub repository mosparo/mosparo prior to 1.0.3.
Severity
5.4 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| mosparo | mosparo/mosparo |
Affected:
unspecified , < 1.0.3
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:07:32.643Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.com/bounties/33f95510-cdee-460e-8e61-107874962f2d"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/mosparo/mosparo/commit/fb3ac528b7548beb802182310967968a21c1354a"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:mosparo:mosparo:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mosparo",
"vendor": "mosparo",
"versions": [
{
"lessThan": "1.0.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-5687",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-11T18:29:55.717362Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T18:35:46.329Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mosparo/mosparo",
"vendor": "mosparo",
"versions": [
{
"lessThan": "1.0.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-Site Request Forgery (CSRF) in GitHub repository mosparo/mosparo prior to 1.0.3."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-20T16:22:43.785Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.com/bounties/33f95510-cdee-460e-8e61-107874962f2d"
},
{
"url": "https://github.com/mosparo/mosparo/commit/fb3ac528b7548beb802182310967968a21c1354a"
}
],
"source": {
"advisory": "33f95510-cdee-460e-8e61-107874962f2d",
"discovery": "EXTERNAL"
},
"title": "Cross-Site Request Forgery (CSRF) in mosparo/mosparo"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-5687",
"datePublished": "2023-10-20T16:22:43.785Z",
"dateReserved": "2023-10-20T16:22:40.571Z",
"dateUpdated": "2024-09-11T18:35:46.329Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-5375 (GCVE-0-2023-5375)
Vulnerability from cvelistv5 – Published: 2023-10-04 08:30 – Updated: 2024-09-17 13:50
VLAI
Title
Open Redirect in mosparo/mosparo
Summary
Open Redirect in GitHub repository mosparo/mosparo prior to 1.0.2.
Severity
4.3 (Medium)
CWE
- CWE-601 - URL Redirection to Untrusted Site
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| mosparo | mosparo/mosparo |
Affected:
unspecified , < 1.0.2
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:59:44.292Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/3fa2abde-cb58-45a3-a115-1727ece9acb9"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/mosparo/mosparo/commit/9d5da367b78b8c883bfef5f332ffea26292f99e8"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-5375",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T13:48:41.734002Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-17T13:50:50.236Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mosparo/mosparo",
"vendor": "mosparo",
"versions": [
{
"lessThan": "1.0.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Open Redirect in GitHub repository mosparo/mosparo prior to 1.0.2."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-04T08:30:39.679Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/3fa2abde-cb58-45a3-a115-1727ece9acb9"
},
{
"url": "https://github.com/mosparo/mosparo/commit/9d5da367b78b8c883bfef5f332ffea26292f99e8"
}
],
"source": {
"advisory": "3fa2abde-cb58-45a3-a115-1727ece9acb9",
"discovery": "EXTERNAL"
},
"title": "Open Redirect in mosparo/mosparo"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-5375",
"datePublished": "2023-10-04T08:30:39.679Z",
"dateReserved": "2023-10-04T08:30:27.542Z",
"dateUpdated": "2024-09-17T13:50:50.236Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}