VYPR
High severityNVD Advisory· Published Apr 22, 2026· Updated Apr 24, 2026

CVE-2026-41170

CVE-2026-41170

Description

Squidex is an open source headless content management system and content management hub. Prior to version 7.23.0, the RestoreController.PostRestoreJob endpoint allows an administrator to supply an arbitrary URL for downloading backup archives. This URL is fetched using the "Backup" HttpClient without any SSRF protection. A malicious or compromised admin can use this endpoint to probe internal network services, access cloud metadata endpoints, or perform internal reconnaissance. The vulnerability is authenticated (Admin-only) but highly impactful, allowing potential access to sensitive internal resources. Version 7.23.0 contains a fix.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Squidex/Squidexreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: <7.23.0

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.