Description
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. The "Add Module from URL" feature requires superuser privileges (root-equivalent in ProcessWire) who already has unrestricted arbitrary code execution via standard module upload, making the SSRF vector incapable of providing incremental attack surface. The feature is also disabled by default and requires direct filesystem access to enable.
Published: 2026-04-15
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery that enables authenticated administrators to trigger outbound HTTP requests to arbitrary URLs, allowing internal network scanning and potential access to cloud metadata endpoints.
Action: Immediate Patch
AI Analysis

Impact

ProcessWire CMS versions 3.0.255 and earlier contain an SSRF vulnerability in the admin panel’s "Add Module From URL" feature. By providing arbitrary URLs to the module download parameter, an authenticated administrator can cause the server to issue outbound HTTP requests to attacker‑controlled internal or external hosts. The feature’s error messages reveal whether hosts are reachable, enabling reliable internal network port scanning and host enumeration across RFC‑1918 ranges, and exposing sensitive information such as cloud instance metadata.

Affected Systems

The vulnerability affects ProcessWire CMS, version 3.0.255 and all earlier releases. Any installation that allows administrators to use the "Add Module From URL" function is susceptible.

Risk and Exploitability

The CVSS score is 6.1, indicating Moderate severity. EPSS is not available and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires administrative authentication and the ability to use the module import feature. Once authenticated, an attacker can perform internal reconnaissance or obtain privileged metadata without needing external network access.

Generated by OpenCVE AI on April 16, 2026 at 02:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ProcessWire to version 3.0.256 or later where the SSRF issue is fixed.
  • If upgrading is not immediately possible, disable the "Add Module From URL" capability or remove the corresponding permission from administrative roles.
  • Restrict administrative access to trusted IP addresses and monitor for unexpected outbound HTTP traffic from the CMS server.

Generated by OpenCVE AI on April 16, 2026 at 02:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gmwr-9j4p-96vm ProcessWire: server-side request forgery vulnerability in the admin panel's 'Add Module From URL' feature
History

Fri, 10 Jul 2026 00:30:00 +0000

Type Values Removed Values Added
Title ProcessWire CMS SSRF via Add Module From URL
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 09 Jul 2026 23:15:00 +0000

Type Values Removed Values Added
Description ProcessWire CMS version 3.0.255 and prior contain a server-side request forgery vulnerability in the admin panel's 'Add Module From URL' feature that allows authenticated administrators to supply arbitrary URLs to the module download parameter, causing the server to issue outbound HTTP requests to attacker-controlled internal or external hosts. Attackers can exploit differentiable error messages returned by the server to perform reliable internal network port scanning, host enumeration across RFC-1918 ranges, and potential access to cloud instance metadata endpoints. This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. The "Add Module from URL" feature requires superuser privileges (root-equivalent in ProcessWire) who already has unrestricted arbitrary code execution via standard module upload, making the SSRF vector incapable of providing incremental attack surface. The feature is also disabled by default and requires direct filesystem access to enable.
Metrics cvssV4_0

{'score': 6.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N'}

cvssV4_0

{'score': 6.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X'}


Thu, 16 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 15 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Processwire
Processwire processwire
Vendors & Products Processwire
Processwire processwire

Wed, 15 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
Description ProcessWire CMS version 3.0.255 and prior contain a server-side request forgery vulnerability in the admin panel's 'Add Module From URL' feature that allows authenticated administrators to supply arbitrary URLs to the module download parameter, causing the server to issue outbound HTTP requests to attacker-controlled internal or external hosts. Attackers can exploit differentiable error messages returned by the server to perform reliable internal network port scanning, host enumeration across RFC-1918 ranges, and potential access to cloud instance metadata endpoints.
Title ProcessWire CMS SSRF via Add Module From URL
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N'}

cvssV4_0

{'score': 6.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N'}


Subscriptions

Processwire Processwire
cve-icon MITRE

Status: REJECTED

Assigner: VulnCheck

Published:

Updated: 2026-07-09T22:59:18.996Z

Reserved: 2026-04-13T20:29:02.808Z

Link: CVE-2026-40500

cve-icon Vulnrichment

Updated:

cve-icon NVD

Status : Deferred

Published: 2026-04-15T22:17:22.377

Modified: 2026-06-17T10:45:23.457

Link: CVE-2026-40500

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T02:30:21Z

Weaknesses
  • CWE-918

    Server-Side Request Forgery (SSRF)