FKIE_CVE-2026-24736

Vulnerability from fkie_nvd - Published: 2026-01-27 21:16 - Updated: 2026-02-12 21:30
Severity ?
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Squidex is an open source headless content management system and content management hub. Versions of the application up to and including 7.21.0 allow users to define "Webhooks" as actions within the Rules engine. The url parameter in the webhook configuration does not appear to validate or restrict destination IP addresses. It accepts local addresses such as 127.0.0.1 or localhost. When a rule is triggered (Either manual trigger by manually calling the trigger endpoint or by a content update or any other triggers), the backend server executes an HTTP request to the user-supplied URL. Crucially, the server logs the full HTTP response in the rule execution log (lastDump field), which is accessible via the API. Which turns a "Blind" SSRF into a "Full Read" SSRF. As of time of publication, no patched versions are available.
References
security-advisories@github.comhttps://github.com/Squidex/squidex/security/advisories/GHSA-wxg2-953m-fg2wExploit, Vendor Advisory
Impacted products
Vendor Product Version
squidex.io squidex *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:squidex.io:squidex:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "AB9DAE12-3516-4E2E-8CFE-D464ACDD44C2",
              "versionEndIncluding": "7.21.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Squidex is an open source headless content management system and content management hub. Versions of the application up to and including 7.21.0 allow users to define \"Webhooks\" as actions within the Rules engine. The url parameter in the webhook configuration does not appear to validate or restrict destination IP addresses. It accepts local addresses such as 127.0.0.1 or localhost. When a rule is triggered (Either manual trigger by manually calling the trigger endpoint or by a content update or any other triggers), the backend server executes an HTTP request to the user-supplied URL. Crucially, the server logs the full HTTP response in the rule execution log (lastDump field), which is accessible via the API. Which turns a \"Blind\" SSRF into a \"Full Read\" SSRF. As of time of publication, no patched versions are available."
    },
    {
      "lang": "es",
      "value": "Squidex es un sistema de gesti\u00f3n de contenido sin cabeza de c\u00f3digo abierto y un centro de gesti\u00f3n de contenido. Las versiones de la aplicaci\u00f3n hasta la 7.21.0 inclusive permiten a los usuarios definir \u0027Webhooks\u0027 como acciones dentro del motor de Reglas. El par\u00e1metro url en la configuraci\u00f3n del webhook no parece validar ni restringir las direcciones IP de destino. Acepta direcciones locales como 127.0.0.1 o localhost. Cuando se activa una regla (Ya sea por activaci\u00f3n manual llamando manualmente al endpoint de activaci\u00f3n o por una actualizaci\u00f3n de contenido o cualquier otra activaci\u00f3n), el servidor backend ejecuta una solicitud HTTP a la URL proporcionada por el usuario. Fundamentalmente, el servidor registra la respuesta HTTP completa en el registro de ejecuci\u00f3n de la regla (campo lastDump), que es accesible a trav\u00e9s de la API. Lo que convierte un SSRF \u0027Ciego\u0027 en un SSRF de \u0027Lectura Completa\u0027. Al momento de la publicaci\u00f3n, no hay versiones parcheadas disponibles."
    }
  ],
  "id": "CVE-2026-24736",
  "lastModified": "2026-02-12T21:30:02.060",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.1,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 6.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-01-27T21:16:02.967",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/Squidex/squidex/security/advisories/GHSA-wxg2-953m-fg2w"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-918"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.