Description
ProcessWire CMS version 3.0.255 and prior contain a server-side request forgery vulnerability in the admin panel's 'Add Module From URL' feature that allows authenticated administrators to supply arbitrary URLs to the module download parameter, causing the server to issue outbound HTTP requests to attacker-controlled internal or external hosts. Attackers can exploit differentiable error messages returned by the server to perform reliable internal network port scanning, host enumeration across RFC-1918 ranges, and potential access to cloud instance metadata endpoints.
Published: 2026-04-15
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery that enables authenticated administrators to trigger outbound HTTP requests to arbitrary URLs, allowing internal network scanning and potential access to cloud metadata endpoints.
Action: Immediate Patch
AI Analysis

Impact

ProcessWire CMS versions 3.0.255 and earlier contain an SSRF vulnerability in the admin panel’s "Add Module From URL" feature. By providing arbitrary URLs to the module download parameter, an authenticated administrator can cause the server to issue outbound HTTP requests to attacker‑controlled internal or external hosts. The feature’s error messages reveal whether hosts are reachable, enabling reliable internal network port scanning and host enumeration across RFC‑1918 ranges, and exposing sensitive information such as cloud instance metadata.

Affected Systems

The vulnerability affects ProcessWire CMS, version 3.0.255 and all earlier releases. Any installation that allows administrators to use the "Add Module From URL" function is susceptible.

Risk and Exploitability

The CVSS score is 6.1, indicating Moderate severity. EPSS is not available and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires administrative authentication and the ability to use the module import feature. Once authenticated, an attacker can perform internal reconnaissance or obtain privileged metadata without needing external network access.

Generated by OpenCVE AI on April 16, 2026 at 02:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ProcessWire to version 3.0.256 or later where the SSRF issue is fixed.
  • If upgrading is not immediately possible, disable the "Add Module From URL" capability or remove the corresponding permission from administrative roles.
  • Restrict administrative access to trusted IP addresses and monitor for unexpected outbound HTTP traffic from the CMS server.

Generated by OpenCVE AI on April 16, 2026 at 02:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gmwr-9j4p-96vm ProcessWire: server-side request forgery vulnerability in the admin panel's 'Add Module From URL' feature
History

Thu, 16 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Processwire
Processwire processwire
Vendors & Products Processwire
Processwire processwire

Wed, 15 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
Description ProcessWire CMS version 3.0.255 and prior contain a server-side request forgery vulnerability in the admin panel's 'Add Module From URL' feature that allows authenticated administrators to supply arbitrary URLs to the module download parameter, causing the server to issue outbound HTTP requests to attacker-controlled internal or external hosts. Attackers can exploit differentiable error messages returned by the server to perform reliable internal network port scanning, host enumeration across RFC-1918 ranges, and potential access to cloud instance metadata endpoints.
Title ProcessWire CMS SSRF via Add Module From URL
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N'}

cvssV4_0

{'score': 6.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N'}

Subscriptions

Processwire Processwire
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-16T13:38:15.341Z

Reserved: 2026-04-13T20:29:02.808Z

Link: CVE-2026-40500

cve-icon Vulnrichment

Updated: 2026-04-16T13:38:11.707Z

cve-icon NVD

Status : Received

Published: 2026-04-15T22:17:22.377

Modified: 2026-04-15T22:17:22.377

Link: CVE-2026-40500

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T02:30:21Z

Weaknesses