3 matches found
CVE-2026-57940
CVE-2026-57940 affects HTMLy 3.1.1 and describes an SSRF in the RSS feed import. The vulnerable code path is get_feed() in system/admin/admin.php, which passes user-supplied feed_url directly to file_get_contents() without validation. An authenticated admin can exploit this by supplying a crafted...
CVE-2026-7890 Concrete CMS 9.5.0 is vulnerable to SSRF via RSS Displayer Block
In Concrete CMS 9.5.0 and below, the RSS Displayer block accepts a feed URL from any page editor and fetches it server-side without validation enabling redirect-to-internal bypasses. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.1 with a...
CVE-2026-7890 Concrete CMS 9.5.0 is vulnerable to SSRF via RSS Displayer Block
In Concrete CMS 9.5.0 and below, the RSS Displayer block accepts a feed URL from any page editor and fetches it server-side without validation enabling redirect-to-internal bypasses. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.1 with a...