Description
e107 is a content management system (CMS). Prior to 2.3.4, you can access the local environment by specifying the URL of the local environment from "Image/File URL:" of "From a remote location" in "Media Manager" on the administrator screen. This vulnerability is fixed in 2.3.4.
Published: 2026-05-26
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a Server‑Side Request Forgery (SSRF) where an attacker can specify a local or internal URL in the Media Manager’s remote fetch field. The vulnerability allows the server to retrieve arbitrary data from internal or local resources, potentially exposing internal host information or serving as a foothold for additional attacks. This flaw is identified as CWE‑918 and can lead to unauthorized access to internal services and data leaks.

Affected Systems

The affected product is the e107 content management system from e107inc. All versions prior to 2.3.4 are vulnerable; the fix is implemented in 2.3.4 and later releases.

Risk and Exploitability

The CVSS score of 4.3 reflects a moderate severity; the EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through the web‑based administrator interface, requiring an authenticated admin session to submit the remote URL. Once exploited, the attacker can retrieve internal resources via the server, potentially compromising confidentiality and availability of internal services.

Generated by OpenCVE AI on May 26, 2026 at 16:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to e107 version 2.3.4 or newer, which removes the SSRF vulnerability.
  • If upgrading immediately is not possible, disable the remote file fetch feature in the Media Manager configuration to prevent unintended external requests.
  • Ensure that the administrator interface is accessed only from trusted IP addresses or behind a firewall to limit exposure to the SSRF exploit scenario.

Generated by OpenCVE AI on May 26, 2026 at 16:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 15:45:00 +0000

Type Values Removed Values Added
Description e107 is a content management system (CMS). Prior to 2.3.4, you can access the local environment by specifying the URL of the local environment from "Image/File URL:" of "From a remote location" in "Media Manager" on the administrator screen. This vulnerability is fixed in 2.3.4.
Title e107: Server-Side Request Forgery (SSRF) in the remote file fetcher
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-26T16:21:18.449Z

Reserved: 2026-05-04T16:59:09.089Z

Link: CVE-2026-43936

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-26T16:16:25.543

Modified: 2026-05-26T17:16:45.847

Link: CVE-2026-43936

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T16:30:10Z

Weaknesses