How to fix EUVD-2026-25104?

Within 24 hours: Identify all Squidex instances in your environment and document current versions. Within 7 days: Upgrade all Squidex deployments to version 7.23.0 or later; if immediate upgrade is not feasible, restrict schema editing permissions to only trusted administrators and disable Jint scripting engine if not actively required. Within 30 days: Conduct a security audit of any Squidex instances that ran unpatched versions to identify potential unauthorized access to cloud credentials or internal service access; rotate any cloud provider credentials and review CloudTrail/equivalent logs for suspicious API calls originating from Squidex systems.

Is Squidex affected by EUVD-2026-25104?

Squidex versions prior to 7.23.0 contain a Server-Side Request Forgery vulnerability that allows authenticated users with schema editing permissions to extract cloud provider credentials and access internal services, creating a direct pathway for lateral movement and credential compromise within…

Squidex EUVD-2026-25104

| CVE-2026-41171 HIGH

Server-Side Request Forgery (SSRF) (CWE-918)

2026-04-22 GitHub_M

SSRF

7.3

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Re-analysis Queued

Apr 23, 2026 - 13:22 vuln.today

cvss_changed

Analysis Generated

Apr 23, 2026 - 06:52 vuln.today

Patch available

Apr 22, 2026 - 23:02 EUVD

CVSS changed

Apr 22, 2026 - 22:22 NVD

7.3 (HIGH)

DescriptionNVD

Squidex is an open source headless content management system and content management hub. Versions prior to 7.23.0 have a Server-Side Request Forgery (SSRF) vulnerability due to missing SSRF protection on the Jint HTTP client used by scripting engine functions (getJSON, request, etc.). An authenticated user with low privileges (e.g., schema editing permissions) can force the server to make arbitrary outbound HTTP requests to attacker-controlled or internal endpoints. This allows access to internal services and cloud metadata endpoints (e.g., IMDS), potentially leading to credential exposure and lateral movement. Version 7.23.0 contains a fix.

AnalysisAI

Server-Side Request Forgery (SSRF) in Squidex versions before 7.23.0 allows authenticated users with schema editing permissions to force the server to make arbitrary HTTP requests to internal services and cloud metadata endpoints through the Jint scripting engine. The vulnerability can expose cloud provider credentials (e.g., AWS IMDS) and enable lateral movement within internal networks. …

RemediationAI

Within 24 hours: Identify all Squidex instances in your environment and document current versions. Within 7 days: Upgrade all Squidex deployments to version 7.23.0 or later; if immediate upgrade is not feasible, restrict schema editing permissions to only trusted administrators and disable Jint scripting engine if not actively required. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

EUVD-2026-25104 vulnerability details – vuln.today

Back

Squidex EUVD-2026-25104

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

Squidex EUVD-2026-25104

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code