CVE-2026-41177

Published: Apr 22, 2026Modified: Apr 24, 2026Deferred

5.5

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L

Exploitability: 1.2 / Impact: 4.2

Source: security-advisories@github.com (Secondary)

Description

Squidex is an open source headless content management system and content management hub. Prior to version 7.23.0, the Squidex Restore API is vulnerable to Blind Server-Side Request Forgery (SSRF). The application fails to validate the URI scheme of the user-supplied `Url` parameter, allowing the use of the `file://` protocol. This allows an authenticated administrator to force the backend server to interact with the local filesystem, which can lead to Local File Interaction (LFI) and potential disclosure of sensitive system information through side-channel analysis of internal logs. Version 7.23.0 contains a fix.

Related CWEs

CWE-73

External Control of File Name or Path

The product allows user input to control or influence paths or file names that are used in filesystem operations.

CWE-918

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (3)

https://github.com/Squidex/squidex/commit/b81d75e1d9c1a8e30993c2ee59b350002b9aeda4

Source: security-advisories@github.com

https://github.com/Squidex/squidex/security/advisories/GHSA-45fq-w37p-qfw5

Source: security-advisories@github.com

https://github.com/Squidex/squidex/security/advisories/GHSA-45fq-w37p-qfw5

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

Timeline

No history available yet.