Vulners
Lucene search
๐ SocialEngine 7.8.0 Server-Side Request Forgery
๐๏ธย 23 Apr 2026ย 00:00:00Reported byย EgiXTypeย 
ย packetstorm๐ย packetstorm.news๐ย 53ย Views
| Reporter | Title | Published | Views | Family All 10 |
|---|---|---|---|---|
 | CVE-2026-41461 | 23 Apr 202613:45 | โ | attackerkb |
 | CVE-2026-41461 | 23 Apr 202619:43 | โ | circl |
 | SocialEngine ไปฃ็ ้ฎ้ขๆผๆด | 23 Apr 202600:00 | โ | cnnvd |
 | CVE-2026-41461 | 23 Apr 202613:45 | โ | cve |
 | CVE-2026-41461 SocialEngine <= 7.8.0 Blind SSRF via /core/link/preview | 23 Apr 202613:45 | โ | cvelist |
 | EUVD-2026-25226 | 23 Apr 202618:33 | โ | euvd |
 | CVE-2026-41461 | 23 Apr 202615:37 | โ | nvd |
 | PT-2026-34665 | 23 Apr 202600:00 | โ | ptsecurity |
 | CVE-2026-41461 | 29 Apr 202620:48 | โ | redhatcve |
 | CVE-2026-41461 SocialEngine <= 7.8.0 Blind SSRF via /core/link/preview | 23 Apr 202613:45 | โ | vulnrichment |
10
---------------------------------------------------------------------
SocialEngine <= 7.8.0 Blind Server-Side Request Forgery Vulnerability
---------------------------------------------------------------------
[-] Software Link:
https://socialengine.com
[-] Affected Versions:
Versions 7.8.0, 7.7.0, and likely prior versions.
[-] Vulnerability Description:
User input passed through the "uri" request parameter to the
/core/link/preview endpoint is not properly sanitized before being
used as URL to send an HTTP request from the web server. This can be
exploited by remote, authenticated attackers to carry out blind
Server-Side Request Forgery (SSRF) attacks by using URLs like the
following:
https://[socialengine]/core/link/preview/format/json?uri=http://localhost:3306/
[-] Solution:
No official solution is currently available.
[-] Disclosure Timeline:
[02/02/2026] - Vulnerability confirmed on version 7.7.0
[02/02/2026] - Vendor notified
[09/02/2026] - Vendor response stating "We are currently validating
your report... If this issue is confirmed, we will prioritize
appropriate fixes and include them in an upcoming update."
[27/02/2026] - Vendor released version 7.8.0, but the vulnerability is
still not fixed
[02/03/2026] - Vendor contacted again
[09/03/2026] - Vendor response stating "We will check and update you."
[23/03/2026] - Vendor notified about 60-day disclosure deadline policy
[25/03/2026] - Vendor response stating "Regarding this issue, we were
unable to fully understand the concern. Could you please provide more
detailed information or steps to reproduce the issue?"
[25/03/2026] - Vendor was provided with more details and guidance on
how to fix the vulnerability
[03/04/2026] - Reached 60-day disclosure deadline, still no official solution
[21/04/2026] - CVE identifier requested
[22/04/2026] - CVE identifier assigned
[23/04/2026] - Public disclosure
[-] CVE Reference:
CVE-2026-41461 has been assigned to this vulnerability.
[-] Credits:
Vulnerability discovered by Egidio Romano.
[-] Original Advisory:
https://karmainsecurity.com/KIS-2026-07Data
Build on a solid foundation withย Vulners data
Weย provide theย essential building blocks forย cybersecurity solutions withย comprehensive, structured, andย constantly updated vulnerability andย exploits data
Api
Power your application withย Vulners API
The Vulners REST API offers reliable, high-performance access toย vulnerabilityย intelligence, withย 99.9%ย SLAย uptime andย CDN-backed data delivery forย seamlessย global access
App
Assess and manage vulnerabilities withย Vulnersย tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
23 Apr 2026 00:00Current
5.8Medium risk
Vulners AI Score5.8
CVSS 46.3
CVSS 3.18.5
EPSS0.00051
SSVC