Description
Squidex is an open source headless content management system and content management hub. Prior to version 7.23.0, an SSRF vulnerability allows a user with asset upload permission to force the server to fetch arbitrary URLs, including localhost/private network targets, and persist the response as an asset. Version 7.23.0 contains a fix.
Published: 2026-04-22
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery
Action: Apply Patch
AI Analysis

Impact

An SSRF flaw exists when uploading assets via the URL-based asset upload endpoint. A user holding asset upload permission can instruct the Squidex server to fetch any target URL, including internal or local addresses, and save the response as an asset. This can lead to the server making arbitrary outbound HTTP requests, potentially exposing internal network resources and leaking sensitive data, though the flaw does not provide direct code execution or command execution capabilities.

Affected Systems

Squidex Squidex – the open‑source headless content management system. Versions older than 7.23.0 are affected when the asset upload feature is enabled for a user. The vulnerability requires the user to have permission to upload assets.

Risk and Exploitability

The CVSS score of 7.3 indicates a high severity vulnerability. The EPSS score is not available, and the issue is not listed in CISA’s KEV catalog. Exploitation requires a legitimate user account with asset upload capability; the attacker can trigger outbound requests to arbitrary URLs, including internal services. While the flaw cannot directly grant code execution, it enables the server to access private networks and persist external data, posing significant security risk.

Generated by OpenCVE AI on April 27, 2026 at 08:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Squidex to version 7.23.0 or later to apply the fix for the SSRF vulnerability.
  • If upgrading is not immediately possible, limit asset upload permissions to only trusted users and enforce strict authorization checks for the upload endpoint.
  • Configure network controls or outbound request filtering on the Squidex host to block requests to internal or restricted IP ranges, mitigating the effect of the SSRF.

Generated by OpenCVE AI on April 27, 2026 at 08:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Squidex.io
Squidex.io squidex
Vendors & Products Squidex.io
Squidex.io squidex

Thu, 23 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
Description Squidex is an open source headless content management system and content management hub. Prior to version 7.23.0, an SSRF vulnerability allows a user with asset upload permission to force the server to fetch arbitrary URLs, including localhost/private network targets, and persist the response as an asset. Version 7.23.0 contains a fix.
Title Squidex vulnerable to Server-Side Request Forgery (SSRF) via URL-based asset upload (/api/apps/{app}/assets)
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 7.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Squidex.io Squidex
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-23T12:52:16.717Z

Reserved: 2026-04-17T16:34:45.525Z

Link: CVE-2026-41172

cve-icon Vulnrichment

Updated: 2026-04-23T12:51:34.806Z

cve-icon NVD

Status : Deferred

Published: 2026-04-22T22:16:31.690

Modified: 2026-04-24T14:45:24.803

Link: CVE-2026-41172

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T20:15:12Z

Weaknesses