What is the CVSS score of CVE-2026-39670?

CVE-2026-39670 has a CVSS 3.1 base score of 6.0 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L. EPSS exploitation probability: 0.0%.

Visual Link Preview CVE-2026-39670

EUVD-2026-20346 MEDIUM

Server-Side Request Forgery (SSRF) (CWE-918)

2026-04-08 Patchstack

GHSA-gfpr-2vcf-jmxj

SSRF Visual Link Preview

6.0

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

6.0 MEDIUM

AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

Low

Lifecycle Timeline

EUVD ID Assigned

Apr 08, 2026 - 08:45 euvd

EUVD-2026-20346

Analysis Generated

Apr 08, 2026 - 08:45 vuln.today

CVE Published

Apr 08, 2026 - 08:30 nvd

MEDIUM 6.0

DescriptionCVE.org

Server-Side Request Forgery (SSRF) vulnerability in Brecht Visual Link Preview visual-link-preview allows Server Side Request Forgery.This issue affects Visual Link Preview: from n/a through <= 2.3.0.

AnalysisAI

Server-Side Request Forgery (SSRF) in Brecht Visual Link Preview WordPress plugin versions through 2.3.0 allows authenticated attackers with low privileges to make arbitrary network requests from the affected server, potentially accessing internal resources, metadata services, or performing actions on behalf of the server. No public exploit code identified at time of analysis, though the vulnerability carries low real-world exploitation probability (EPSS 0.02%) despite moderate CVSS scoring.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	CVSS 6.0 with attack vector network, high complexity, and low privileges required indicates a moderate-severity vulnerability, yet the extremely low EPSS score (0.02%, 4th percentile) suggests minimal real-world exploitation probability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An authenticated WordPress user with low privileges (e.g., contributor or subscriber role) could craft a specially-crafted link preview request with a malicious URL parameter (such as http://169.254.169.254/latest/meta-data/ for AWS metadata, or http://localhost:6379/ for local Redis access). The plugin's preview-generation function would process this request without validation, making the SSRF request from the server's context and returning sensitive data or service responses to the attacker. …
Remediation	Update Visual Link Preview to a version newer than 2.3.0 if available from the plugin developer. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-39670 vulnerability details – vuln.today

Back