Description
DoraCMS version 3.1 and prior contains a server-side request forgery (SSRF) vulnerability in its UEditor remote image fetch functionality. The application accepts user-supplied URLs and performs server-side HTTP or HTTPS requests without sufficient validation or destination restrictions. The implementation does not enforce allowlists, block internal or private IP address ranges, or apply request timeouts or response size limits. An attacker can abuse this behavior to induce the server to issue outbound requests to arbitrary hosts, including internal network resources, potentially enabling internal network scanning and denial of service through resource exhaustion.
Published: 2026-02-10
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server Side Request Forgery
Action: Apply Patch
AI Analysis

Impact

The vulnerability is an SSRF flaw present in the UEditor remote image fetch feature of DoraCMS versions 3.1 and earlier. The application takes a user‑supplied URL, fetches the image via an outbound HTTP or HTTPS request, and returns the response without checking the target address or applying restrictions. Due to this lack of validation, an attacker can cause the server to query arbitrary hosts, including internal network services, and can configure the request to exhaust resources or bypass firewall rules. The flaw is classified as CWE‑918 and could lead to information disclosure or denial of service.

Affected Systems

Vendors: Doramart. Product: DoraCMS. Affected versions: 3.1 and all earlier releases.

Risk and Exploitability

This flaw carries a CVSS score of 6.9, indicating a medium severity impact, and the EPSS score is less than 1%, suggesting a low likelihood of exploitation at the time of assessment. The vulnerability is not listed in the CISA KEV catalog, meaning no known widespread exploitation has been reported. An attacker can abuse the flaw by sending a malicious URL through the UEditor remote image fetch endpoint; the server then performs an outbound request to the specified address. Because the request is not filtered, the attacker can target internal IP ranges, scan for services, or cause resource exhaustion. The attack requires only that the target system accepts the request, making it feasible for a remote adversary with internet access to trigger the SSRF.

Generated by OpenCVE AI on April 15, 2026 at 21:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a version of DoraCMS newer than 3.1 or apply the vendor’s patch to restrict outbound image fetch calls and enforce allowlists.
  • If immediate upgrade is not possible, block or restrict the web server’s outbound HTTP/HTTPS connections to internal IP ranges using firewall rules or a proxy to limit the reach of any SSRF calls.
  • Disable or remove the UEditor remote image fetch functionality from the application configuration to eliminate the attack surface.
  • Enforce stricter input validation for the image URL endpoint, adding an allowlist, blocking private IP ranges, and imposing timeouts or size limits on requests.

Generated by OpenCVE AI on April 15, 2026 at 21:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Html-js
Html-js doracms
CPEs cpe:2.3:a:html-js:doracms:*:*:*:*:*:*:*:*
Vendors & Products Html-js
Html-js doracms

Wed, 11 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Doramart
Doramart doracms
Vendors & Products Doramart
Doramart doracms
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 22:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N'}

Tue, 10 Feb 2026 22:30:00 +0000

Type Values Removed Values Added
Description DoraCMS version 3.1 and prior contains a server-side request forgery (SSRF) vulnerability in its UEditor remote image fetch functionality. The application accepts user-supplied URLs and performs server-side HTTP or HTTPS requests without sufficient validation or destination restrictions. The implementation does not enforce allowlists, block internal or private IP address ranges, or apply request timeouts or response size limits. An attacker can abuse this behavior to induce the server to issue outbound requests to arbitrary hosts, including internal network resources, potentially enabling internal network scanning and denial of service through resource exhaustion.
Title DoraCMS <= 3.1 UEditor Remote Image Fetch SSRF
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L'}

Subscriptions

Doramart Doracms
Html-js Doracms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-07T17:17:28.735Z

Reserved: 2026-02-06T19:12:03.464Z

Link: CVE-2026-25870

cve-icon Vulnrichment

Updated: 2026-02-11T21:42:55.844Z

cve-icon NVD

Status : Deferred

Published: 2026-02-10T23:16:16.287

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-25870

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T21:15:13Z

Weaknesses