Skip to main content

Podigee CVE-2026-39695

| EUVDEUVD-2026-20392 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-04-08 Patchstack GHSA-3j6c-rq24-cp7j
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 15, 2026 - 12:44 vuln.today
CVSS changed
Apr 13, 2026 - 20:22 NVD
5.4 (MEDIUM)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20392
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Server-Side Request Forgery (SSRF) vulnerability in podigee Podigee podigee allows Server Side Request Forgery.This issue affects Podigee: from n/a through <= 1.4.0.

AnalysisAI

Server-Side Request Forgery (SSRF) in Podigee plugin versions up to 1.4.0 allows remote attackers to make arbitrary HTTP requests from the affected server to internal or external resources without authentication. The vulnerability has a moderate CVSS score of 5.4 with low confidentiality and integrity impact across trust boundaries (AV:N/AC:H/PR:N). EPSS exploitation probability is very low at 0.02% (4th percentile), indicating minimal real-world attack likelihood despite public vulnerability disclosure.

Technical ContextAI

Server-Side Request Forgery (CWE-918) vulnerabilities occur when an application makes HTTP requests based on untrusted user input without proper validation or allowlisting. In the Podigee WordPress plugin, the application likely accepts user-controlled URLs or parameters that are passed to backend request libraries (such as PHP's file_get_contents, cURL, or equivalent), enabling attackers to redirect requests to internal services (localhost, private IP ranges, internal APIs), external targets, or cloud metadata endpoints. The Podigee plugin (CPE: cpe:2.3:a:podigee:podigee:*:*:*:*:*:*:*:*) is a WordPress audio/podcast hosting and management tool that handles media URLs and feeds; the SSRF likely exists in functionality that fetches external podcast feeds, metadata, or media files.

RemediationAI

Update the Podigee plugin to a version later than 1.4.0 as soon as a patched release becomes available through the official WordPress plugin repository. Until a patch is released, disable or restrict access to Podigee plugin features that accept external URLs or fetch remote content (such as feed import functionality) if possible, and implement network-level restrictions to prevent the WordPress server from accessing internal infrastructure (using firewall rules or security groups to deny outbound connections to private IP ranges 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, and cloud metadata endpoints). For detailed remediation guidance, consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/podigee/vulnerability/wordpress-podigee-plugin-1-4-0-server-side-request-forgery-ssrf-vulnerability?_s_id=cve.

Share

CVE-2026-39695 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy