{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-18T05:53:11.566","vulnerabilities":[{"cve":{"id":"CVE-2026-24736","sourceIdentifier":"security-advisories@github.com","published":"2026-01-27T21:16:02.967","lastModified":"2026-02-12T21:30:02.060","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Squidex is an open source headless content management system and content management hub. Versions of the application up to and including 7.21.0 allow users to define \"Webhooks\" as actions within the Rules engine. The url parameter in the webhook configuration does not appear to validate or restrict destination IP addresses. It accepts local addresses such as 127.0.0.1 or localhost. When a rule is triggered (Either manual trigger by manually calling the trigger endpoint or by a content update or any other triggers), the backend server executes an HTTP request to the user-supplied URL. Crucially, the server logs the full HTTP response in the rule execution log (lastDump field), which is accessible via the API. Which turns a \"Blind\" SSRF into a \"Full Read\" SSRF. As of time of publication, no patched versions are available."},{"lang":"es","value":"Squidex es un sistema de gestión de contenido sin cabeza de código abierto y un centro de gestión de contenido. Las versiones de la aplicación hasta la 7.21.0 inclusive permiten a los usuarios definir 'Webhooks' como acciones dentro del motor de Reglas. El parámetro url en la configuración del webhook no parece validar ni restringir las direcciones IP de destino. Acepta direcciones locales como 127.0.0.1 o localhost. Cuando se activa una regla (Ya sea por activación manual llamando manualmente al endpoint de activación o por una actualización de contenido o cualquier otra activación), el servidor backend ejecuta una solicitud HTTP a la URL proporcionada por el usuario. Fundamentalmente, el servidor registra la respuesta HTTP completa en el registro de ejecución de la regla (campo lastDump), que es accesible a través de la API. Lo que convierte un SSRF 'Ciego' en un SSRF de 'Lectura Completa'. Al momento de la publicación, no hay versiones parcheadas disponibles."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H","baseScore":9.1,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.3,"impactScore":6.0},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-918"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:squidex.io:squidex:*:*:*:*:*:*:*:*","versionEndIncluding":"7.21.0","matchCriteriaId":"AB9DAE12-3516-4E2E-8CFE-D464ACDD44C2"}]}]}],"references":[{"url":"https://github.com/Squidex/squidex/security/advisories/GHSA-wxg2-953m-fg2w","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]}]}}]}