Lucene search
K

📄 SocialEngine 7.8.0 Server-Side Request Forgery

🗓️ 23 Apr 2026 00:00:00Reported by EgiXType 
packetstorm
 packetstorm
🔗 packetstorm.news👁 98 Views

SocialEngine versions 7.7 and 7.8 allow blind SSRF via the uri parameter in /core/link/preview.

Related
Code
ReporterTitlePublishedViews
Family
ATTACKERKB
CVE-2026-41461
23 Apr 202613:45
attackerkb
Circl
CVE-2026-41461
23 Apr 202619:43
circl
CNNVD
SocialEngine 代码问题漏洞
23 Apr 202600:00
cnnvd
CVE
CVE-2026-41461
23 Apr 202613:45
cve
Cvelist
CVE-2026-41461 SocialEngine <= 7.8.0 Blind SSRF via /core/link/preview
23 Apr 202613:45
cvelist
EUVD
EUVD-2026-25226
23 Apr 202618:33
euvd
NVD
CVE-2026-41461
23 Apr 202615:37
nvd
Positive Technologies
PT-2026-34665
23 Apr 202600:00
ptsecurity
RedhatCVE
CVE-2026-41461
29 Apr 202620:48
redhatcve
Vulnrichment
CVE-2026-41461 SocialEngine <= 7.8.0 Blind SSRF via /core/link/preview
23 Apr 202613:45
vulnrichment
Rows per page
---------------------------------------------------------------------
    SocialEngine <= 7.8.0 Blind Server-Side Request Forgery Vulnerability
    ---------------------------------------------------------------------
    
    
    [-] Software Link:
    
    https://socialengine.com
    
    
    [-] Affected Versions:
    
    Versions 7.8.0, 7.7.0, and likely prior versions.
    
    
    [-] Vulnerability Description:
    
    User input passed through the "uri" request parameter to the
    /core/link/preview endpoint is not properly sanitized before being
    used as URL to send an HTTP request from the web server. This can be
    exploited by remote, authenticated attackers to carry out blind
    Server-Side Request Forgery (SSRF) attacks by using URLs like the
    following:
    
    https://[socialengine]/core/link/preview/format/json?uri=http://localhost:3306/
    
    
    [-] Solution:
    
    No official solution is currently available.
    
    
    [-] Disclosure Timeline:
    
    [02/02/2026] - Vulnerability confirmed on version 7.7.0
    
    [02/02/2026] - Vendor notified
    
    [09/02/2026] - Vendor response stating "We are currently validating
    your report... If this issue is confirmed, we will prioritize
    appropriate fixes and include them in an upcoming update."
    
    [27/02/2026] - Vendor released version 7.8.0, but the vulnerability is
    still not fixed
    
    [02/03/2026] - Vendor contacted again
    
    [09/03/2026] - Vendor response stating "We will check and update you."
    
    [23/03/2026] - Vendor notified about 60-day disclosure deadline policy
    
    [25/03/2026] - Vendor response stating "Regarding this issue, we were
    unable to fully understand the concern. Could you please provide more
    detailed information or steps to reproduce the issue?"
    
    [25/03/2026] - Vendor was provided with more details and guidance on
    how to fix the vulnerability
    
    [03/04/2026] - Reached 60-day disclosure deadline, still no official solution
    
    [21/04/2026] - CVE identifier requested
    
    [22/04/2026] - CVE identifier assigned
    
    [23/04/2026] - Public disclosure
    
    
    [-] CVE Reference:
    
    CVE-2026-41461 has been assigned to this vulnerability.
    
    
    [-] Credits:
    
    Vulnerability discovered by Egidio Romano.
    
    
    [-] Original Advisory:
    
    https://karmainsecurity.com/KIS-2026-07

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

23 Apr 2026 00:00Current
5.8Medium risk
Vulners AI Score5.8
CVSS 46.3
CVSS 3.18.5
EPSS0.00302
SSVC
98