Skip to main content

NukeViet CMS CVE-2026-55372

HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-07-13 https://github.com/nukeviet/nukeviet GHSA-4chg-4752-w88r
7.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
6.5 MEDIUM

Pre-auth remote trigger with no interaction gives AV:N/AC:L/PR:N/UI:N; blind fixed-path sink yields only limited C:L (internal discovery) and I:L (header cache poisoning), and I keep S:U since impact stays within the vulnerable app.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
Jul 13, 2026 - 19:23 vuln.today
Analysis Generated
Jul 13, 2026 - 19:23 vuln.today
CVE Published
Jul 13, 2026 - 17:58 github-advisory
HIGH 7.2

DescriptionGitHub Advisory

Summary

An unauthenticated attacker can coerce the server into issuing HTTP requests to an attacker-chosen host by spoofing the X Forwarded-Host (and X-Forwarded-Proto) request headers. The forwarded host is used, without validation, to build the URL that server_info_update() fetches with cURL, resulting in a Server-Side Request Forgery (SSRF) that requires no authentication.

Affected component

  • File: includes/ini.php - function server_info_update() (cURL sink)
  • File: vendor/vinades/nukeviet/Core/Server.php - standardizeHost() and the forwarded-header handling in the constructor (source of the tainted host)
  • Trigger: POST request containing the field __serverInfoUpdate=1, handled early in includes/ini.php before any authentication.

Details

NukeViet\Core\Server derives original_host / original_protocol from the X-Forwarded-Host / X-Forwarded-Proto headers and exposes them via getOriginalHost() / getOriginalProtocol(). These values are attacker-controlled and were not validated against the site's configured domains (my_domains).

In server_info_update() the tainted host and scheme are concatenated directly into a cURL URL:

php
$proto = $nv_Server->getOriginalProtocol();   // from X-Forwarded-Proto
$host  = $nv_Server->getOriginalHost();        // from X-Forwarded-Host
$ch = curl_init($proto . '://' . $host . NV_BASE_SITEURL . 'index.php?response_headers_detect=1');
curl_exec($ch);

Two factors made this reliably reachable:

  1. The __serverInfoUpdate handler runs very early in includes/ini.php, before authentication, so the sink is reachable pre-auth.
  2. The host sanitiser standardizeHost() stripped a trailing port only with the regex (\:[0-9]+)$, which is bypassed by appending a slash (e.g. 127.0.0.1:8081/): the string no longer ends in :digits, so the port survives and an arbitrary host:port reaches the cURL call.

Proof of Concept

http
POST /index.php HTTP/1.1
Host: <victim>
X-Forwarded-Proto: http
X-Forwarded-Host: <attacker-controlled-host>:<port>/
Content-Type: application/x-www-form-urlencoded
Content-Length: 20

__serverInfoUpdate=1

The server then issues a request to the attacker-supplied host, confirmed via an out-of-band interaction (DNS + HTTP) on a collaborator endpoint.

Impact

The SSRF is blind, HEAD-only, and uses a fixed request path (…/index.php?response_headers_detect=1):

  • The fetched response is stored server-side in the config_ini cache and is not reflected to the attacker, so internal data cannot be exfiltrated directly.
  • Because the path is fixed and not attacker-controlled, cloud metadata endpoints (e.g. 169.254.169.254/latest/meta-data/...) cannot be reached, and gopher:// / dict:// request smuggling cannot inject arbitrary payloads.

What an attacker can do: unauthenticated internal host/port discovery (connection success/timing, with the port reachable through the regex bypass), and poisoning of the cached server_headers (the SSRF target's response headers are stored and applied to the site).

Severity

Rated High rather than Critical, because the blind + fixed-path + HEAD design of the sink prevents data exfiltration, cloud credential theft, and internal RCE.

  • CVSS v3.1 Base Score: 7.2 (High)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Weakness

  • Primary: CWE-918: Server-Side Request Forgery (SSRF)
  • Contributing: CWE-20 (Improper Input Validation), CWE-644 (Improper Neutralization of HTTP Headers used by downstream components / trusting X-Forwarded-*).

Remediation

Fixed by validating and normalising the forwarded values at the source and gating the request before the sink:

  • standardizeHost() now extracts the host with parse_url() (defeats the :port/ bypass) and lower-cases it.
  • X-Forwarded-Proto is restricted to a {http, https} allow-list and falls back to the real server protocol otherwise.
  • X-Forwarded-Port is validated as numeric and within range.
  • The incoming host is checked against my_domains before includes/ini.php is reached; non-matching hosts are rejected/redirected, and server_info_update() additionally re-validates its target host against my_domains (defense in depth).

Workaround

Configure the reverse proxy / web server to strip or override client-supplied X-Forwarded-Host, X-Forwarded-Proto, and X-Forwarded-Port headers, and ensure my_domains is configured with the site's canonical domain(s).

AnalysisAI

Server-side request forgery in NukeViet CMS before 4.6.00 lets a remote unauthenticated attacker coerce the server into issuing outbound HTTP requests to an arbitrary host by spoofing the X-Forwarded-Host and X-Forwarded-Proto headers, which flow unvalidated into the cURL URL built by server_info_update(). Because the __serverInfoUpdate=1 POST handler in includes/ini.php runs before authentication, no credentials are needed. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Send POST index.php with __serverInfoUpdate=1
Delivery
Spoof X-Forwarded-Host to internal target:port/
Exploit
Bypass standardizeHost port regex
Execution
server_info_update() cURL fetches attacker host
Impact
Probe internal hosts/ports and poison cached server_headers

Vulnerability AssessmentAI

Exploitation Exploitation requires the __serverInfoUpdate feature path to be reachable - a POST to index.php with the field __serverInfoUpdate=1, which is handled early in includes/ini.php before authentication, so no credentials or user interaction are needed (CVSS PR:N/UI:N is consistent with this). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N (7.2 High) reflects a genuinely low-friction reachability profile: network attack vector, low complexity, no privileges and no user interaction, which matches the pre-auth POST trigger described. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sends an unauthenticated POST to /index.php containing __serverInfoUpdate=1 with X-Forwarded-Proto: http and X-Forwarded-Host set to an internal target such as 10.0.0.5:6379/, causing the NukeViet server to issue a HEAD request to that host and letting the attacker map reachable internal hosts and ports via connection success/timing. The advisory includes a working PoC confirmed through out-of-band DNS and HTTP interaction on a collaborator endpoint, but the blind, fixed-path sink means no internal response content is returned to the attacker.
Remediation Vendor-released patch: upgrade NukeViet to 4.6.00 or later, which validates and normalises the forwarded values at the source - standardizeHost() now uses parse_url() to extract and lower-case the host (defeating the :port/ bypass), restricts X-Forwarded-Proto to an {http,https} allow-list falling back to the real server protocol, validates X-Forwarded-Port as an in-range numeric, checks the incoming host against my_domains before includes/ini.php is reached, and has server_info_update() re-validate its target against my_domains as defense in depth. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, inventory all NukeViet CMS installations in production and document their network isolation; review access logs for anomalous X-Forwarded-Host or X-Forwarded-Proto header patterns indicative of exploitation. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-55372 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy