What is the CVSS score of CVE-2026-24736?

CVE-2026-24736 has a CVSS 3.1 base score of 9.1 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Squidex are affected by CVE-2026-24736?

Squidex versions up to 7.21.0 contain a critical vulnerability (CVSS 9.1) in the Rules engine's webhook functionality that could allow attackers to execute arbitrary actions or compromise system…

Is there a public PoC exploit available for CVE-2026-24736?

Yes, a public proof-of-concept exploit is available for CVE-2026-24736. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2026-24736?

Within 24 hours: Inventory all Squidex instances and document versions in use; disable webhook functionality in the Rules engine if operationally feasible. Within 7 days: Implement network segmentation to restrict Squidex outbound connections; enable detailed logging and monitoring of Rules engine activity; assess whether your version is affected (≤7.21.0). Within 30 days: Monitor vendor security advisories for patch availability and apply immediately upon release; evaluate alternative content management solutions if patch timelines are unacceptable; conduct security audit of webhook configurations and Rules engine usage.

Squidex CVE-2026-24736

CRITICAL

Server-Side Request Forgery (SSRF) (CWE-918)

2026-01-27 security-advisories@github.com

SSRF Squidex

9.1

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

9.1 CRITICAL

AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

PoC Detected

Feb 12, 2026 - 21:30 vuln.today

Public exploit code

CVE Published

Jan 27, 2026 - 21:16 nvd

CRITICAL 9.1

DescriptionGitHub Advisory

Squidex is an open source headless content management system and content management hub. Versions of the application up to and including 7.21.0 allow users to define "Webhooks" as actions within the Rules engine. The url parameter in the webhook configuration does not appear to validate or restrict destination IP addresses. It accepts local addresses such as 127.0.0.1 or localhost. When a rule is triggered (Either manual trigger by manually calling the trigger endpoint or by a content update or any other triggers), the backend server executes an HTTP request to the user-supplied URL. Crucially, the server logs the full HTTP response in the rule execution log (lastDump field), which is accessible via the API. Which turns a "Blind" SSRF into a "Full Read" SSRF. As of time of publication, no patched versions are available.

AnalysisAI

Server-Side Request Forgery (SSRF) vulnerability in Squidex CMS webhook configuration allows authenticated administrators to make requests to internal services by specifying localhost or internal IP addresses as webhook destinations. PoC available.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticate as high-privilege user

Delivery

Configure webhook with localhost URL

Exploit

Trigger rule execution

Execution

Backend sends HTTP request to internal service

Impact

Access internal resources or execute commands

Access

Authenticate as high-privilege user

Delivery

Configure webhook with localhost URL

Exploit

Trigger rule execution

Execution

Backend sends HTTP request to internal service

Impact

Access internal resources or execute commands

Vulnerability AssessmentAI

Exploitation	High-privilege user account required. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 9.1 with high-privilege requirement (admin). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	Compromised or malicious admin configures webhook pointing to cloud metadata endpoint, triggers rule execution, retrieves IAM credentials or internal service data.
Remediation	Update Squidex beyond 7.21.0. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Squidex instances and document versions in use; disable webhook functionality in the Rules engine if operationally feasible. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-24736 vulnerability details – vuln.today

Back

Squidex CVE-2026-24736

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code