Description
Squidex is an open source headless content management system and content management hub. Versions prior to 7.23.0 have a Server-Side Request Forgery (SSRF) vulnerability due to missing SSRF protection on the `Jint` HTTP client used by scripting engine functions (`getJSON`, `request`, etc.). An authenticated user with low privileges (e.g., schema editing permissions) can force the server to make arbitrary outbound HTTP requests to attacker-controlled or internal endpoints. This allows access to internal services and cloud metadata endpoints (e.g., IMDS), potentially leading to credential exposure and lateral movement. Version 7.23.0 contains a fix.
Published: 2026-04-22
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery
Action: Patch
AI Analysis

Impact

Squidex versions before 7.23.0 allow an authenticated user with low privileges, such as schema editors, to direct the server’s Jint HTTP client to make arbitrary outbound HTTP requests. The missing SSRF protection enables the attacker to reach internal or cloud metadata services, potentially exposing credentials and providing a foothold for lateral movement. This flaw is identified as CWE‑918 (Server‑Side Request Forgery).

Affected Systems

The vulnerability affects the Squidex content management platform, specifically all releases earlier than 7.23.0. Users running those earlier versions are at risk if they continue to provide authenticated access with editing permissions.

Risk and Exploitability

The CVSS score of 7.3 indicates a high severity risk. EPSS data is not available, and the issue is not listed in CISA’s KEV catalogue, suggesting no publicly known exploits yet. However, the attack requires only a low‑privileged authenticated session and can be used to reach internal endpoints, so the real‑world risk remains significant, especially in environments with exposed internal services or cloud metadata access. The attack vector is likely external, mediated by legitimate API calls from a compromised or malicious user account.

Generated by OpenCVE AI on April 27, 2026 at 08:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Squidex to version 7.23.0 or later to apply the SSRF fix.
  • If an immediate upgrade is not feasible, remove or reduce the editing permissions of users who can execute scripts or disable the Jint scripting engine functions entirely.
  • Implement outbound firewall or proxy restrictions to limit the Squidex server’s ability to reach internal network addresses or cloud metadata endpoints.

Generated by OpenCVE AI on April 27, 2026 at 08:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Squidex.io
Squidex.io squidex
Vendors & Products Squidex.io
Squidex.io squidex

Thu, 23 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
Description Squidex is an open source headless content management system and content management hub. Prior to version 7.23.0, a Server-Side Request Forgery (SSRF) vulnerability exists in Squidex due to missing SSRF protection on the `Jint` HTTP client used by scripting engine functions (`getJSON`, `request`, etc.). An authenticated user with low privileges (e.g., schema editing permissions) can force the server to make arbitrary outbound HTTP requests to attacker-controlled or internal endpoints. This allows access to internal services and cloud metadata endpoints (e.g., IMDS), potentially leading to credential exposure and lateral movement. Version 7.23.0 contains a fix. Squidex is an open source headless content management system and content management hub. Versions prior to 7.23.0 have a Server-Side Request Forgery (SSRF) vulnerability due to missing SSRF protection on the `Jint` HTTP client used by scripting engine functions (`getJSON`, `request`, etc.). An authenticated user with low privileges (e.g., schema editing permissions) can force the server to make arbitrary outbound HTTP requests to attacker-controlled or internal endpoints. This allows access to internal services and cloud metadata endpoints (e.g., IMDS), potentially leading to credential exposure and lateral movement. Version 7.23.0 contains a fix.
References
Metrics cvssV4_0

{'score': 5.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

 cvssV4_0

{'score': 7.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P'}

Wed, 22 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description Squidex is an open source headless content management system and content management hub. Prior to version 7.23.0, a Server-Side Request Forgery (SSRF) vulnerability exists in Squidex due to missing SSRF protection on the `Jint` HTTP client used by scripting engine functions (`getJSON`, `request`, etc.). An authenticated user with low privileges (e.g., schema editing permissions) can force the server to make arbitrary outbound HTTP requests to attacker-controlled or internal endpoints. This allows access to internal services and cloud metadata endpoints (e.g., IMDS), potentially leading to credential exposure and lateral movement. Version 7.23.0 contains a fix.
Title SSRF via Jint Scripting Engine HTTP Functions Due to Missing SSRF Protection on "Jint" HttpClient
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 5.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Squidex.io Squidex
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-23T12:54:01.682Z

Reserved: 2026-04-17T16:34:45.525Z

Link: CVE-2026-41171

cve-icon Vulnrichment

Updated: 2026-04-23T12:53:47.816Z

cve-icon NVD

Status : Deferred

Published: 2026-04-22T22:16:31.543

Modified: 2026-04-24T14:45:24.803

Link: CVE-2026-41171

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T20:15:12Z

Weaknesses