CVE-2026-41195

EPSS 0.2%
Veröffentlicht 12.05.2026 21:24:35
Zuletzt bearbeitet 18.05.2026 16:16:30
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

mosparo: Rule package source URL stored SSRF enables internal HTTP probing

mosparo is the modern solution to protect your online forms from spam. Prior to 1.4.13, the automatic rule package source URL feature allows a project member with the editor role to store an attacker-controlled URL that the server later fetches. Because the server follows http/https redirects and does not restrict private or loopback destinations, this becomes a stored SSRF primitive that can be turned into an internal HTTP probing oracle. This vulnerability is fixed in 1.4.13.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

CNA 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellermosparo

≫

Produkt mosparo

Version < 1.4.13

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.2%	0.095

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	5	3.1	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

https://github.com/mosparo/mosparo/security/advisories/GHSA-92fh-26qf-r8rg

https://nvd.nist.gov/vuln/detail/CVE-2026-41195

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-41195

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-41195

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-41195