Skip to main content

Squidex EUVD-2026-25104

| CVE-2026-41171 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-04-22 GitHub_M
SSRF Squidex
7.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.3 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

8
Patch released
Apr 24, 2026 - 14:45 nvd
Patch available
Re-analysis Queued
Apr 23, 2026 - 13:22 vuln.today
cvss_changed
Analysis Generated
Apr 23, 2026 - 06:52 vuln.today
Patch available
Apr 22, 2026 - 23:02 EUVD
CVSS changed
Apr 22, 2026 - 22:22 NVD
7.3 (HIGH)
EUVD ID Assigned
Apr 22, 2026 - 21:46 euvd
EUVD-2026-25104
Analysis Generated
Apr 22, 2026 - 21:46 vuln.today
CVE Published
Apr 22, 2026 - 21:16 nvd
HIGH 7.3

DescriptionGitHub Advisory

Squidex is an open source headless content management system and content management hub. Versions prior to 7.23.0 have a Server-Side Request Forgery (SSRF) vulnerability due to missing SSRF protection on the Jint HTTP client used by scripting engine functions (getJSON, request, etc.). An authenticated user with low privileges (e.g., schema editing permissions) can force the server to make arbitrary outbound HTTP requests to attacker-controlled or internal endpoints. This allows access to internal services and cloud metadata endpoints (e.g., IMDS), potentially leading to credential exposure and lateral movement. Version 7.23.0 contains a fix.

AnalysisAI

Server-Side Request Forgery (SSRF) in Squidex versions before 7.23.0 allows authenticated users with schema editing permissions to force the server to make arbitrary HTTP requests to internal services and cloud metadata endpoints through the Jint scripting engine. The vulnerability can expose cloud provider credentials (e.g., AWS IMDS) and enable lateral movement within internal networks. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with schema editor credentials
Delivery
Create malicious content schema with scripting rule
Exploit
Invoke getJSON/request function targeting internal endpoint
Execution
Server executes SSRF request
Persist
Extract cloud credentials or internal data
Impact
Lateral movement via exposed credentials
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Attacker must possess authenticated access to the Squidex instance with schema editing permissions (PR:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 4.0 score of 7.3 reflects high confidentiality and integrity impact to the vulnerable system (VC:H/VI:H) with network attack vector and low complexity (AV:N/AC:L/AT:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated attacker with schema editing permissions creates a custom content schema in Squidex and adds a scripting rule that calls getJSON('http://169.254.169.254/latest/meta-data/iam/security-credentials/') to retrieve AWS IAM role credentials from the instance metadata service. The Squidex server executes this script during content processing, making the SSRF request and returning temporary AWS credentials to the attacker. …
Remediation Upgrade to Squidex version 7.23.0 or later, which includes SSRF protection for the Jint HTTP client as documented in GitHub commit b81d75e1d9c1a8e30993c2ee59b350002b9aeda4 (https://github.com/Squidex/squidex/commit/b81d75e1d9c1a8e30993c2ee59b350002b9aeda4). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all Squidex instances in your environment and document current versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-25104 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy