Description
mosparo is the modern solution to protect your online forms from spam. Prior to 1.4.13, the automatic rule package source URL feature allows a project member with the editor role to store an attacker-controlled URL that the server later fetches. Because the server follows http/https redirects and does not restrict private or loopback destinations, this becomes a stored SSRF primitive that can be turned into an internal HTTP probing oracle. This vulnerability is fixed in 1.4.13.
Published: 2026-05-12
Score: 5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw lies in mosparo's automatic rule package source URL feature. When a project member with an editor role stores a URL, the server later fetches it without blocking private or loopback destinations and follows HTTP/HTTPS redirects. This turns the feature into a stored SSRF primitive that can be used for internal HTTP probing. Classified as CWE-918, this vulnerability does not grant direct code execution but allows an attacker to identify and enumerate internal services, potentially leaking sensitive information and facilitating subsequent attacks.

Affected Systems

Any mosparo installation prior to version 1.4.13 is impacted. The vulnerability was fixed in release 1.4.13; all earlier versions, regardless of sub‑release, maintain the weakness.

Risk and Exploitability

The CVSS score of 5 indicates moderate severity. EPSS data is not available and the flaw is not listed in CISA KEV, suggesting limited public exploitation to date. However, exploitation requires an authenticated user with editor privileges; based on the description, it is inferred that an attacker may obtain such privileges through phishing or credential compromise. Once authenticated, the attacker can instruct the server to query arbitrary internal endpoints, turning mosparo into an internal discovery tool. The ability to follow redirects and lack of outbound restrictions make the SSRF easy to exploit if the conditions are met.

Generated by OpenCVE AI on May 13, 2026 at 00:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest mosparo release (1.4.13 or later) that contains the fix.
  • Limit editor privileges to trusted accounts and remove or replace any unnecessary editor role assignments.
  • Configure network controls or firewall rules to restrict the mosparo service from contacting private or internal IP ranges, or use a proxy whitelist to limit outbound traffic.

Generated by OpenCVE AI on May 13, 2026 at 00:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 00:15:00 +0000

Type Values Removed Values Added
First Time appeared Mosparo
Mosparo mosparo
Vendors & Products Mosparo
Mosparo mosparo

Tue, 12 May 2026 22:00:00 +0000

Type Values Removed Values Added
Description mosparo is the modern solution to protect your online forms from spam. Prior to 1.4.13, the automatic rule package source URL feature allows a project member with the editor role to store an attacker-controlled URL that the server later fetches. Because the server follows http/https redirects and does not restrict private or loopback destinations, this becomes a stored SSRF primitive that can be turned into an internal HTTP probing oracle. This vulnerability is fixed in 1.4.13.
Title mosparo: Rule package source URL stored SSRF enables internal HTTP probing
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N'}

Subscriptions

Mosparo Mosparo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-12T21:24:35.643Z

Reserved: 2026-04-18T02:51:52.973Z

Link: CVE-2026-41195

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T22:16:34.050

Modified: 2026-05-12T22:16:34.050

Link: CVE-2026-41195

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T00:15:27Z

Weaknesses