Description
A security vulnerability has been detected in moxi624 Mogu Blog v2 up to 5.2. Affected by this vulnerability is the function LocalFileServiceImpl.uploadPictureByUrl of the file mogu_picture/src/main/java/com/moxi/mogublog/picture/service/impl/LocalFileServiceImpl.java of the component Picture Storage Service. The manipulation leads to server-side request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-04-20
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server-side request forgery
Action: Apply Patch
AI Analysis

Impact

A function in Mogu Blog v2's Picture Storage Service, LocalFileServiceImpl.uploadPictureByUrl, allows an attacker to supply a URL that the server will retrieve. This vulnerability is a classic server-side request forgery (SSRF) that can lead to data leakage, internal network reconnaissance, and potential execution of further attacks against services reachable from the server. The weakness is identified as CWE-918 and can be exploited by sending crafted requests to the application, enabling unauthorized outbound connections.

Affected Systems

Products listed by the CNA include moxi624 Mogu Blog v2, up through version 5.2. Any installation of that software that has not applied a fix for the SSRF in LocalFileServiceImpl.uploadPictureByUrl is affected. Because the vulnerability exists in code that is part of the picture storage component, it is likely present on all deployments of the identified version range.

Risk and Exploitability

The CVSS score of 6.9 reflects moderate severity with potential for moderate impact if exploited. EPSS is not available, so the current likelihood of exploitation is uncertain, but the public disclosure and reported exploitability imply that it could be abused. The vulnerability is not listed in CISA's KEV catalog. Attackers can trigger it remotely by invoking the exposed uploadPictureByUrl endpoint, and the absence of input validation allows outbound requests to arbitrary destinations. Unless mitigated, attackers could access internal resources or cause the application to perform unintended outbound actions.

Generated by OpenCVE AI on April 20, 2026 at 11:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest patched release of Mogu Blog v2 that fixes the SSRF issue.
  • If a patch is not available, modify the application configuration to disable the uploadPictureByUrl method or enforce a whitelist of trusted domains, explicitly rejecting URLs that point to localhost, 127.0.0.1, or private IP ranges.
  • Deploy network or application firewalls to block the application from making outbound HTTP/HTTPS requests to unknown or disallowed IP addresses, and monitor outbound traffic for suspicious requests.

Generated by OpenCVE AI on April 20, 2026 at 11:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Moxi624
Moxi624 mogu Blog V2
Vendors & Products Moxi624
Moxi624 mogu Blog V2

Mon, 20 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in moxi624 Mogu Blog v2 up to 5.2. Affected by this vulnerability is the function LocalFileServiceImpl.uploadPictureByUrl of the file mogu_picture/src/main/java/com/moxi/mogublog/picture/service/impl/LocalFileServiceImpl.java of the component Picture Storage Service. The manipulation leads to server-side request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title moxi624 Mogu Blog v2 Picture Storage Service LocalFileServiceImpl.java LocalFileServiceImpl.uploadPictureByUrl server-side request forgery
Weaknesses CWE-918
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Moxi624 Mogu Blog V2
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-20T15:27:00.317Z

Reserved: 2026-04-19T16:38:13.228Z

Link: CVE-2026-6625

cve-icon Vulnrichment

Updated: 2026-04-20T15:26:51.148Z

cve-icon NVD

Status : Received

Published: 2026-04-20T10:16:17.760

Modified: 2026-04-20T10:16:17.760

Link: CVE-2026-6625

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T14:57:53Z

Weaknesses