Skip to main content

Apache Fesod CVE-2026-49328

| EUVDEUVD-2026-33622 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-06-01 apache GHSA-vqc2-c9jh-3jjv
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

5
Source Code Evidence Fetched
Jun 01, 2026 - 13:24 vuln.today
Analysis Generated
Jun 01, 2026 - 13:24 vuln.today
CVSS changed
Jun 01, 2026 - 13:22 NVD
5.3 (MEDIUM)
CVE Published
Jun 01, 2026 - 10:10 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 01, 2026 - 10:10 nvd
MEDIUM 5.3

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 8 maven packages depend on org.apache.fesod:fesod-sheet (6 direct, 2 indirect)

Ecosystem-wide dependent count for version 2.0.2-incubating.

DescriptionCVE.org

Server-Side Request Forgery (SSRF) in the UrlImageConverter component of Apache Fesod (Incubating) fesod-sheet before 2.0.2-incubating allows attackers to cause outbound network requests to internal or otherwise restricted resources via a user-supplied image URL. Users are recommended to upgrade to version 2.0.2-incubating, which fixes this issue.

AnalysisAI

Server-Side Request Forgery in Apache Fesod (Incubating) fesod-sheet before 2.0.2-incubating allows unauthenticated remote attackers to trigger outbound HTTP requests from the server to internal or restricted network resources by supplying a crafted image URL to the UrlImageConverter component. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation requires no authentication and no user interaction, making this trivially reachable against any exposed instance. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

Technical ContextAI

Apache Fesod (Incubating) is an Apache Software Foundation incubator project for spreadsheet processing in Java. The vulnerable component is UrlImageConverter within the fesod-sheet module, which fetches images from caller-supplied URLs during spreadsheet rendering or export. CWE-918 (Server-Side Request Forgery) describes the root cause: the component makes outbound HTTP requests using attacker-controlled input without validating the destination host or IP range against an allowlist. This allows the server to act as a proxy to internal infrastructure. The fix in PR #917 introduces a new CidrBlock.java class - a CIDR-based network address matcher - used to implement an IP allowlist for the UrlImageConverter's outbound fetch logic, blocking requests to private/reserved address spaces. Affected CPE: cpe:2.3:a:apache_software_foundation:apache_fesod_(incubating):*:*:*:*:*:*:*:*.

RemediationAI

Upgrade Apache Fesod (Incubating) fesod-sheet to version 2.0.2-incubating, which is confirmed as the vendor-released fix per GitHub release tag https://github.com/apache/fesod/releases/tag/2.0.2-incubating and the Apache advisory at https://lists.apache.org/thread/c1pb5b66h02p9tlrnfbwcgcz85v16fkj. The patch introduces CIDR-based IP allowlisting in the UrlImageConverter component to block requests to internal address ranges. If immediate upgrade is not possible, a compensating control is to restrict outbound network access from the application server using host-based firewall rules or cloud security groups, specifically blocking access to RFC-1918 private ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and cloud metadata endpoints (169.254.169.254/32). This network-level control is effective but adds operational overhead and must be maintained separately from the application. Applications that legitimately need to fetch images from internal URLs will need those ranges explicitly whitelisted after upgrading to 2.0.2-incubating.

Share

CVE-2026-49328 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy