Which versions of Squidex are affected by CVE-2026-41172?

Squidex CMS versions before 7.23.0 contain a server-side request forgery vulnerability that allows authenticated users with asset upload permissions to retrieve internal network resources and cloud…. A patch is available.

How to fix or mitigate CVE-2026-41172?

Within 24 hours: Identify all Squidex deployments and their current versions using asset management records. Within 7 days: Upgrade Squidex to version 7.23.0 or later per vendor advisory GHSA-x7cq-4f4c-8qcv; test in non-production first. Within 30 days: Review audit logs for unauthorized asset uploads by authenticated users since deployment and audit IAM credentials for exposure.

Squidex CVE-2026-41172

Q: What is the CVSS score of CVE-2026-41172?

CVE-2026-41172 has a CVSS 4.0 base score of 7.3 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-25106 HIGH

Server-Side Request Forgery (SSRF) (CWE-918)

2026-04-22 GitHub_M

SSRF Squidex

7.3

CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.3 HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Patch released

Apr 24, 2026 - 14:45 nvd

Patch available

Re-analysis Queued

Apr 23, 2026 - 13:22 vuln.today

cvss_changed

Analysis Generated

Apr 23, 2026 - 06:52 vuln.today

Patch available

Apr 22, 2026 - 23:02 EUVD

CVSS changed

Apr 22, 2026 - 22:22 NVD

7.3 (HIGH)

EUVD ID Assigned

Apr 22, 2026 - 21:46 euvd

EUVD-2026-25106

Analysis Generated

Apr 22, 2026 - 21:46 vuln.today

CVE Published

Apr 22, 2026 - 21:22 nvd

HIGH 7.3

DescriptionGitHub Advisory

Squidex is an open source headless content management system and content management hub. Prior to version 7.23.0, an SSRF vulnerability allows a user with asset upload permission to force the server to fetch arbitrary URLs, including localhost/private network targets, and persist the response as an asset. Version 7.23.0 contains a fix.

AnalysisAI

Server-Side Request Forgery in Squidex versions prior to 7.23.0 allows authenticated users with asset upload permissions to force the CMS server to fetch arbitrary URLs, including internal network resources and localhost endpoints, storing the retrieved content as platform assets. This enables reconnaissance of internal infrastructure, exfiltration of cloud metadata endpoints (AWS/Azure credentials), and access to services not exposed to the internet. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticate with content editor account

Delivery

Submit asset upload with internal URL

Exploit

Server fetches private endpoint

Execution

Malicious content persisted as asset

Persist

Download asset to extract internal data

Impact

Pivot to cloud credentials or internal services