Skip to main content

e107 CMS CVE-2026-43936

| EUVD-2026-31847 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-05-26 GitHub_M
SSRF E107
4.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 08, 2026 - 12:24 vuln.today
Analysis Generated
Jun 08, 2026 - 12:24 vuln.today
Patch available
May 26, 2026 - 17:02 EUVD

DescriptionGitHub Advisory

e107 is a content management system (CMS). Prior to 2.3.4, you can access the local environment by specifying the URL of the local environment from "Image/File URL:" of "From a remote location" in "Media Manager" on the administrator screen. This vulnerability is fixed in 2.3.4.

AnalysisAI

Server-Side Request Forgery (SSRF) in e107 CMS versions prior to 2.3.4 allows authenticated administrators to reach internal network resources by supplying IPv4-mapped IPv6 addresses (e.g., ::ffff:127.0.0.1) in the Media Manager's remote URL fetch feature, bypassing PHP's private-range IP filter. The root cause is a normalization gap in file_class.php where PHP's filter_var with FILTER_FLAG_NO_PRIV_RANGE does not canonicalize IPv4-mapped IPv6 notation, leaving loopback and private ranges reachable. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain e107 admin credentials
Delivery
Authenticate to admin panel
Exploit
Navigate to Media Manager remote URL feature
Execution
Submit IPv4-mapped IPv6 URL (::ffff:127.0.0.1)
Persist
Server bypasses private-range filter and fetches internal endpoint
Impact
Read internal service response
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The attacker must hold an active e107 administrator session (CVSS PR:L confirmed). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 3.1 scores this at 4.3 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, indicating network-reachable exploitation at low complexity but requiring authenticated access (PR:L), with impact limited to partial confidentiality. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with an e107 administrator account navigates to the Media Manager and selects 'From a remote location,' entering a URL such as http://[::ffff:127.0.0.1]:8080/admin/api/keys in the Image/File URL field. The server's isUrlSafe() function passes the IPv4-mapped IPv6 address through the private-range filter without normalizing it, and e107 then fetches the internal endpoint, returning its response content or metadata to the attacker. …
Remediation Upgrade to e107 version 2.3.4, which contains the confirmed fix per the vendor advisory at https://github.com/e107inc/e107/security/advisories/GHSA-92fr-7h4f-22pp. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-43936 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy