Is there a public PoC exploit available for CVE-2026-7291?

Yes, a public proof-of-concept exploit is available for CVE-2026-7291. Prioritise patching immediately. EPSS: 0.0%.

o2oa CVE-2026-7291

Q: What is the CVSS score of CVE-2026-7291?

CVE-2026-7291 has a CVSS 4.0 base score of 2.1 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-26074 LOW

Server-Side Request Forgery (SSRF) (CWE-918)

2026-04-28 VulDB

Java SSRF

2.1

CVSS 4.0

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Severity Changed

Apr 29, 2026 - 01:12 NVD

MEDIUM LOW

CVSS changed

Apr 29, 2026 - 01:12 NVD

5.3 (MEDIUM) 2.1 (LOW)

PoC Detected

Apr 29, 2026 - 01:00 vuln.today

Public exploit code

CVSS changed

Apr 28, 2026 - 19:52 NVD

6.3 (MEDIUM) 5.3 (MEDIUM)

Analysis Generated

Apr 28, 2026 - 19:00 vuln.today

EUVD ID Assigned

Apr 28, 2026 - 18:45 euvd

EUVD-2026-26074

Analysis Generated

Apr 28, 2026 - 18:45 vuln.today

CVE Published

Apr 28, 2026 - 17:15 nvd

LOW 2.1

DescriptionNVD

A weakness has been identified in o2oa up to 10.0. This affects the function FileAction of the file FileAction.java of the component URL Fetching. Executing a manipulation of the argument fileUrl can lead to server-side request forgery. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Server-side request forgery (SSRF) in o2oa up to version 10.0 allows authenticated remote attackers to manipulate the fileUrl parameter in the FileAction component to trigger arbitrary HTTP requests from the server. The vulnerability requires authenticated access (PR:L) but can facilitate attacks against internal services, exfiltrate sensitive data, or pivot to backend systems. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-7291 vulnerability details – vuln.today

Back