VYPR
Low severity2.7GHSA Advisory· Published Sep 3, 2025· Updated Apr 15, 2026

CVE-2025-9821

CVE-2025-9821

Description

SummaryUsers with webhook permissions can conduct SSRF via webhooks. If they have permission to view the webhook logs, the (partial) request response is also disclosed

DetailsWhen sending webhooks, the destination is not validated, causing SSRF.

ImpactBypass of firewalls to interact with internal services. See https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/  for more potential impact.

Resources https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html  for more information on SSRF and its fix.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
mautic/corePackagist
>= 4.4.0, < 4.4.174.4.17
mautic/corePackagist
>= 5.0.0-alpha, < 5.2.85.2.8
mautic/corePackagist
>= 6.0.0-alpha, < 6.0.56.0.5

Affected products

2

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.