Skip to main content

Nelio Content CVE-2026-39521

| EUVDEUVD-2026-20183 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-04-08 Patchstack GHSA-7vhv-799g-fcfv
4.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.9 MEDIUM
AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 15, 2026 - 12:40 vuln.today
CVSS changed
Apr 13, 2026 - 16:22 NVD
4.9 (MEDIUM)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20183
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Server-Side Request Forgery (SSRF) vulnerability in Nelio Software Nelio Content nelio-content allows Server Side Request Forgery.This issue affects Nelio Content: from n/a through <= 4.3.1.

AnalysisAI

Server-Side Request Forgery (SSRF) in Nelio Content WordPress plugin through version 4.3.1 allows authenticated attackers to make arbitrary HTTP requests from the vulnerable server, potentially accessing internal services and exfiltrating sensitive data. The vulnerability requires authenticated access (PR:L) and high attack complexity (AC:H), limiting real-world risk despite affecting all versions up to 4.3.1. No public exploit code or active exploitation has been confirmed; EPSS score of 0.02% (4th percentile) indicates very low exploitation probability.

Technical ContextAI

The vulnerability is a classic Server-Side Request Forgery (CWE-918) flaw in the Nelio Content plugin for WordPress. SSRF vulnerabilities occur when application code constructs HTTP requests based on user-controlled input without proper validation, allowing attackers to forge requests that originate from the server itself rather than the attacker's machine. This is particularly dangerous in cloud and containerized environments where internal services (databases, metadata endpoints, API gateways) are often accessible only from the server. The Nelio Content plugin (WordPress plugin architecture, CPE: cpe:2.3:a:nelio_software:nelio_content) appears to have insufficient URL validation in a feature that constructs or proxies HTTP requests, permitting an authenticated user to supply a malicious URL that the server then fetches. The high attack complexity (AC:H) suggests the vulnerability requires specific conditions-such as knowledge of internal network topology or crafting of particular request types-rather than trivial exploitation.

RemediationAI

Update Nelio Content to a patched version beyond 4.3.1 immediately. Check the official Nelio Software plugin repository or Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/nelio-content/vulnerability/wordpress-nelio-content-plugin-4-3-1-server-side-request-forgery-ssrf-vulnerability?_s_id=cve for the exact released version containing the fix. As an interim mitigation, restrict Nelio Content plugin access to trusted administrator accounts only, and implement network-level egress filtering to prevent the server from connecting to internal services (e.g., cloud metadata endpoints, private databases, or restricted APIs). Monitor plugin file integrity and server outbound HTTP connections for anomalies.

Share

CVE-2026-39521 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy