CVE-2026-33486 Roadiz has Server-Side Request Forgery (SSRF) in roadiz/documents

🗓️ 26 Mar 2026 17:15:31Reported by GitHub_MType

Authenticated attacker can read local server files via a roadiz documents SSRF vulnerability; patched in updates.

Reporter	Title	Published	Views	Family All 12
ATTACKERKB	CVE-2026-33486	26 Mar 202617:15	–	attackerkb
Circl	CVE-2026-33486	22 Mar 202611:18	–	circl
CNNVD	Roadiz development monorepo 代码问题漏洞	26 Mar 202600:00	–	cnnvd
CVE	CVE-2026-33486	26 Mar 202617:15	–	cve
Github Security Blog	Roadiz has Server-Side Request Forgery (SSRF) in roadiz/documents	23 Mar 202621:43	–	github
NVD	CVE-2026-33486	26 Mar 202618:16	–	nvd
OSV	CVE-2026-33486 Roadiz has Server-Side Request Forgery (SSRF) in roadiz/documents	26 Mar 202617:15	–	osv
OSV	GHSA-RC55-58F4-687G Roadiz has Server-Side Request Forgery (SSRF) in roadiz/documents	23 Mar 202621:43	–	osv
Positive Technologies	PT-2026-27283	23 Mar 202600:00	–	ptsecurity
RedhatCVE	CVE-2026-33486	27 Mar 202622:51	–	redhatcve

[
  {
    "vendor": "roadiz",
    "product": "core-bundle-dev-app",
    "versions": [
      {
        "version": ">= 2.7.0, < 2.7.9",
        "status": "affected"
      },
      {
        "version": ">= 2.6.0, < 2.6.28",
        "status": "affected"
      },
      {
        "version": ">= 2.4.0, < 2.5.44",
        "status": "affected"
      },
      {
        "version": "< 2.3.42",
        "status": "affected"
      }
    ]
  }
]

Source	Link
github	www.github.com/roadiz/core-bundle-dev-app/commit/7904f690a51b88b1c72c02149ebdf85fa81f19f2
github	www.github.com/roadiz/core-bundle-dev-app/security/advisories/GHSA-rc55-58f4-687g

26 Mar 2026 17:15Current

CVSS 3.16.8

EPSS0.00014

CWE-918