CVE-2026-41195

Published: May 12, 2026Modified: May 18, 2026Deferred

5.0

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Exploitability: 3.1 / Impact: 1.4

Source: security-advisories@github.com (Secondary)

Description

mosparo is the modern solution to protect your online forms from spam. Prior to 1.4.13, the automatic rule package source URL feature allows a project member with the editor role to store an attacker-controlled URL that the server later fetches. Because the server follows http/https redirects and does not restrict private or loopback destinations, this becomes a stored SSRF primitive that can be turned into an internal HTTP probing oracle. This vulnerability is fixed in 1.4.13.

Related CWEs

CWE-918

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (2)

https://github.com/mosparo/mosparo/security/advisories/GHSA-92fh-26qf-r8rg

Source: security-advisories@github.com

https://github.com/mosparo/mosparo/security/advisories/GHSA-92fh-26qf-r8rg

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

Timeline

No history available yet.