Metrics
Affected Vendors & Products
Fri, 10 Jul 2026 00:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | ProcessWire CMS SSRF via Add Module From URL | |
| Metrics |
ssvc
|
Thu, 09 Jul 2026 23:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | ProcessWire CMS version 3.0.255 and prior contain a server-side request forgery vulnerability in the admin panel's 'Add Module From URL' feature that allows authenticated administrators to supply arbitrary URLs to the module download parameter, causing the server to issue outbound HTTP requests to attacker-controlled internal or external hosts. Attackers can exploit differentiable error messages returned by the server to perform reliable internal network port scanning, host enumeration across RFC-1918 ranges, and potential access to cloud instance metadata endpoints. | This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. The "Add Module from URL" feature requires superuser privileges (root-equivalent in ProcessWire) who already has unrestricted arbitrary code execution via standard module upload, making the SSRF vector incapable of providing incremental attack surface. The feature is also disabled by default and requires direct filesystem access to enable. |
| Metrics |
cvssV4_0
|
cvssV4_0
|
Thu, 16 Apr 2026 14:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 15 Apr 2026 22:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Processwire
Processwire processwire |
|
| Vendors & Products |
Processwire
Processwire processwire |
Wed, 15 Apr 2026 21:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | ProcessWire CMS version 3.0.255 and prior contain a server-side request forgery vulnerability in the admin panel's 'Add Module From URL' feature that allows authenticated administrators to supply arbitrary URLs to the module download parameter, causing the server to issue outbound HTTP requests to attacker-controlled internal or external hosts. Attackers can exploit differentiable error messages returned by the server to perform reliable internal network port scanning, host enumeration across RFC-1918 ranges, and potential access to cloud instance metadata endpoints. | |
| Title | ProcessWire CMS SSRF via Add Module From URL | |
| Weaknesses | CWE-918 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: REJECTED
Assigner: VulnCheck
Published: 2026-04-15T21:25:53.214Z
Updated: 2026-07-09T22:59:18.996Z
Reserved: 2026-04-13T20:29:02.808Z
Link: CVE-2026-40500
Updated:
Status : Deferred
Published: 2026-04-15T22:17:22.377
Modified: 2026-06-17T10:45:23.457
Link: CVE-2026-40500
No data.