Description
Server-Side Request Forgery (SSRF) in the UrlImageConverter component of Apache Fesod (Incubating) fesod-sheet before 2.0.2-incubating allows attackers to cause outbound network requests to internal or otherwise restricted resources via a user-supplied image URL. Users are recommended to upgrade to version 2.0.2-incubating, which fixes this issue.
Published: 2026-06-01
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in Apache Fesod (Incubating) is a Server‑Side Request Forgery (SSRF) that allows an attacker to supply a malicious image URL to the UrlImageConverter component, leading the server to make outbound requests to internal or otherwise restricted resources. This can result in unintended data exfiltration or further lateral movement by the attacker. The weakness is catalogued as CWE‑918.

Affected Systems

The affected product is Apache Fesod (Incubating) produced by the Apache Software Foundation. All releases prior to version 2.0.2‑incubating are vulnerable. Users of earlier releases should verify their installed version against the provided references and plan an upgrade.

Risk and Exploitability

The CVSS score of 5.3 places this SSRF in the moderate‑severity range, while the EPSS score of less than 1 % indicates a low but nonzero exploitation probability. The flaw requires an attacker to supply a crafted image URL to the UrlImageConverter component, typically via an interface that processes image requests. When exploited, the server can fetch internal or restricted resources, which may reveal confidential data or provide a foothold for further attacks. Because any environment that permits outbound traffic to internal networks is at risk, the vulnerability remains significant for systems lacking proper segmentation or restrictive outbound controls. It is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on June 1, 2026 at 14:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Fesod to version 2.0.2-incubating or later.
  • If upgrading is not immediately possible, remove or disable the UrlImageConverter component until a patched version is available.
  • Restrict outbound traffic from the Fesod server to internal or restricted networks using firewall rules or network segmentation.

Generated by OpenCVE AI on June 1, 2026 at 14:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
References

Mon, 01 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache fesod
CPEs cpe:2.3:a:apache:fesod:*:*:*:*:*:*:*:*
Vendors & Products Apache
Apache fesod

Mon, 01 Jun 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 11:00:00 +0000

Type Values Removed Values Added
Description Server-Side Request Forgery (SSRF) in the UrlImageConverter component of Apache Fesod (Incubating) fesod-sheet before 2.0.2-incubating allows attackers to cause outbound network requests to internal or otherwise restricted resources via a user-supplied image URL. Users are recommended to upgrade to version 2.0.2-incubating, which fixes this issue.
Title Apache Fesod (Incubating): Improper validation of user-supplied URLs leading to SSRF
Weaknesses CWE-918
References

Subscriptions

Apache Fesod
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-01T14:13:17.227Z

Reserved: 2026-05-29T09:40:58.862Z

Link: CVE-2026-49328

cve-icon Vulnrichment

Updated: 2026-06-01T14:13:17.227Z

cve-icon NVD

Status : Modified

Published: 2026-06-01T11:16:25.803

Modified: 2026-06-01T15:16:38.830

Link: CVE-2026-49328

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T14:45:26Z

Weaknesses