{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41170", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-17T16:34:45.525Z", "datePublished": "2026-04-22T21:13:18.847Z", "dateUpdated": "2026-04-23T14:24:06.260Z"}, "containers": {"cna": {"title": "Squidex has SSRF via Backup Restore Endpoint \u2014 Admin-Controlled URL Download Allows Internal and External Requests", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/Squidex/squidex/security/advisories/GHSA-6q6m-7h5j-jq4g", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Squidex/squidex/security/advisories/GHSA-6q6m-7h5j-jq4g"}, {"name": "https://github.com/Squidex/squidex/commit/b81d75e1d9c1a8e30993c2ee59b350002b9aeda4", "tags": ["x_refsource_MISC"], "url": "https://github.com/Squidex/squidex/commit/b81d75e1d9c1a8e30993c2ee59b350002b9aeda4"}], "affected": [{"vendor": "Squidex", "product": "squidex", "versions": [{"version": "< 7.23.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-22T21:13:18.847Z"}, "descriptions": [{"lang": "en", "value": "Squidex is an open source headless content management system and content management hub. Prior to version 7.23.0, the `RestoreController.PostRestoreJob` endpoint allows an administrator to supply an arbitrary URL for downloading backup archives. This URL is fetched using the \"Backup\" `HttpClient` without any SSRF protection. A malicious or compromised admin can use this endpoint to probe internal network services, access cloud metadata endpoints, or perform internal reconnaissance. The vulnerability is authenticated (Admin-only) but highly impactful, allowing potential access to sensitive internal resources. Version 7.23.0 contains a fix."}], "source": {"advisory": "GHSA-6q6m-7h5j-jq4g", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/Squidex/squidex/security/advisories/GHSA-6q6m-7h5j-jq4g", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-23T14:22:29.554663Z", "id": "CVE-2026-41170", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T14:24:06.260Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "Squidex has SSRF via Backup Restore Endpoint \u2014 Admin-Controlled URL Download Allows Internal and External Requests", "source": {"advisory": "GHSA-6q6m-7h5j-jq4g", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Squidex", "product": "squidex", "versions": [{"status": "affected", "version": "< 7.23.0"}]}], "references": [{"url": "https://github.com/Squidex/squidex/security/advisories/GHSA-6q6m-7h5j-jq4g", "name": "https://github.com/Squidex/squidex/security/advisories/GHSA-6q6m-7h5j-jq4g", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Squidex/squidex/commit/b81d75e1d9c1a8e30993c2ee59b350002b9aeda4", "name": "https://github.com/Squidex/squidex/commit/b81d75e1d9c1a8e30993c2ee59b350002b9aeda4", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Squidex is an open source headless content management system and content management hub. Prior to version 7.23.0, the `RestoreController.PostRestoreJob` endpoint allows an administrator to supply an arbitrary URL for downloading backup archives. This URL is fetched using the \"Backup\" `HttpClient` without any SSRF protection. A malicious or compromised admin can use this endpoint to probe internal network services, access cloud metadata endpoints, or perform internal reconnaissance. The vulnerability is authenticated (Admin-only) but highly impactful, allowing potential access to sensitive internal resources. Version 7.23.0 contains a fix."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-22T21:13:18.847Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41170", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-23T14:22:29.554663Z"}}}], "references": [{"url": "https://github.com/Squidex/squidex/security/advisories/GHSA-6q6m-7h5j-jq4g", "tags": ["exploit"]}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-04-23T14:22:42.488Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-41170", "state": "PUBLISHED", "dateUpdated": "2026-04-22T21:13:18.847Z", "dateReserved": "2026-04-17T16:34:45.525Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-22T21:13:18.847Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Squidex is an open source headless content management system and content management hub. Prior to version 7.23.0, the `RestoreController.PostRestoreJob` endpoint allows an administrator to supply an arbitrary URL for downloading backup archives. This URL is fetched using the \"Backup\" `HttpClient` without any SSRF protection. A malicious or compromised admin can use this endpoint to probe internal network services, access cloud metadata endpoints, or perform internal reconnaissance. The vulnerability is authenticated (Admin-only) but highly impactful, allowing potential access to sensitive internal resources. Version 7.23.0 contains a fix."}], "id": "CVE-2026-41170", "lastModified": "2026-04-24T14:45:24.803", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-22T22:16:31.377", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/Squidex/squidex/commit/b81d75e1d9c1a8e30993c2ee59b350002b9aeda4"}, {"source": "security-advisories@github.com", "url": "https://github.com/Squidex/squidex/security/advisories/GHSA-6q6m-7h5j-jq4g"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/Squidex/squidex/security/advisories/GHSA-6q6m-7h5j-jq4g"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.23.0)"}}], "enrichment": {"confidence": 91.0, "confidence_source": "matching", "scores": [{"score": 91.0, "source": "matching"}]}, "original": {"product": "squidex", "source": "cna", "vendor": "Squidex"}, "product": "squidex", "vendor": "squidex.io"}], "analysis": {"en": {"generated_at": "2026-04-28T07:53:49.401161+00:00", "value": {"mitigation_remediation": ["Upgrade Squidex to version\u202f7.23.0 or later, which includes the SSRF fix.", "Restrict the RestoreController.PostRestoreJob endpoint to accept only whitelisted URLs or enforce a same\u2011origin policy, preventing arbitrary downloads.", "Configure network segmentation or firewall rules to block the Squidex instance from accessing internal IP ranges or critical metadata services.", "Ensure all administrator accounts employ multi\u2011factor authentication and promptly remove any unnecessary privileged accounts to reduce the risk of credential compromise."], "summary": {"action": "Patch ASAP", "impact": "Server\u2011Side Request Forgery via an administrative backup restoration endpoint"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in Squidex installations running versions older than 7.23.0. Version 7.23.0 and later include a fix. All Squidex deployments that expose the RestoreController.PostRestoreJob endpoint to administrative users are potentially impacted; the root component is the Squidex Squidex content management platform.", "description_and_impact": "The identified flaw stems from an admin\u2011only endpoint that accepts an arbitrary URL to download backup archives. The request is executed through an unprotected HTTP client, allowing an attacker who has, or has compromised, administrator credentials, to direct the server to fetch content from any internal or external address. This enables probing internal services, accessing cloud metadata endpoints, or otherwise performing reconnaissance against the protected environment. The issue is categorized as a server\u2011side request forgery (CWE\u2011918) and carries a CVSS score of 7.2, indicating a medium\u2011to\u2011high risk of compromise.", "risk_and_exploitability": "Because this flaw requires authenticated admin access, the threat level is mitigated by the need for privileged credentials, yet the impact is high if such credentials are compromised. The CVSS score reflects the severity, and the EPSS score of less than 1% indicates a very low but non\u2011zero exploitation probability; the vulnerability is not listed in the CISA KEV catalog. The recommended attack path involves an authenticated administrator using the backup restore endpoint to supply a malicious URL, resulting in the server attempting a request to a target internal resource. Failure to mitigate may enable sensitive internal disclosure or further lateral movement within the network."}}}}, "created": "2026-04-27T20:15:12.110460+00:00", "updated": "2026-04-28T08:00:14.356096+00:00", "vendors": ["squidex.io", "squidex.io$PRODUCT$squidex"]}