Description
SocialEngine versions 7.8.0 and prior contain a blind server-side request forgery vulnerability in the /core/link/preview endpoint where user-supplied input passed via the uri request parameter is not sanitized before being used to construct outbound HTTP requests. Authenticated remote attackers can supply arbitrary URLs including internal network addresses and loopback addresses to cause the server to issue HTTP requests to attacker-controlled destinations, enabling internal network enumeration and access to services not intended to be externally reachable.
Published: 2026-04-23
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery
Action: Patch
AI Analysis

Impact

SocialEngine versions 7.8.0 and earlier contain a blind server‑side request forgery in the /core/link/preview endpoint. The uri request parameter is treated as a destination URL without any sanitization, allowing an authenticated remote attacker to cause the server to initiate HTTP requests to arbitrary URLs, including internal or loopback addresses. This flaw is a classic instance of CWE‑918 and permits attackers to enumerate internal network services or access resources that are not intended to be exposed externally.

Affected Systems

The affected product is SocialEngine by SocialEngine. All releases up to and including 7.8.0 are vulnerable; versions newer than 7.8.0 are not reported as affected.

Risk and Exploitability

The CVSS score of 6.3 indicates moderate severity, while the EPSS score of less than 1 % suggests a low probability of exploitation at the time of analysis. The vulnerability is not listed in CISA’s KEV catalog. Attackers need authenticated access to the application, after which they can supply a crafted uri value to trigger the blind SSRF. Successful exploitation could lead to internal network enumeration and potential access to services that should remain internally reachable.

Generated by OpenCVE AI on April 28, 2026 at 07:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to SocialEngine 7.8.1 or later, where the link preview endpoint sanitizes the uri parameter.
  • If an upgrade is not immediately possible, remove or disable the /core/link/preview route to eliminate the SSRF vector.
  • Configure the web server or firewall to block outbound HTTP requests from SocialEngine to internal or private IP ranges, thereby preventing internal enumeration and access.

Generated by OpenCVE AI on April 28, 2026 at 07:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
References

Mon, 27 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Socialengine
Socialengine socialengine
CPEs cpe:2.3:a:socialengine:socialengine:*:*:*:*:*:*:*:*
Vendors & Products Socialengine
Socialengine socialengine

Thu, 23 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description SocialEngine versions 7.8.0 and prior contain a blind server-side request forgery vulnerability in the /core/link/preview endpoint where user-supplied input passed via the uri request parameter is not sanitized before being used to construct outbound HTTP requests. Authenticated remote attackers can supply arbitrary URLs including internal network addresses and loopback addresses to cause the server to issue HTTP requests to attacker-controlled destinations, enabling internal network enumeration and access to services not intended to be externally reachable.
Title SocialEngine <= 7.8.0 Blind SSRF via /core/link/preview
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N'}

Subscriptions

Socialengine Socialengine
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-29T19:32:21.152Z

Reserved: 2026-04-20T16:07:47.310Z

Link: CVE-2026-41461

cve-icon Vulnrichment

Updated: 2026-04-29T19:32:21.152Z

cve-icon NVD

Status : Modified

Published: 2026-04-23T15:37:24.683

Modified: 2026-04-29T20:16:30.927

Link: CVE-2026-41461

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T07:45:26Z

Weaknesses