CVE-2026-41177

low-risk
Published 2026-04-22

Squidex is an open source headless content management system and content management hub. Prior to version 7.23.0, the Squidex Restore API is vulnerable to Blind Server-Side Request Forgery (SSRF). The application fails to validate the URI scheme of the user-supplied `Url` parameter, allowing the use of the `file://` protocol. This allows an authenticated administrator to force the backend server to interact with the local filesystem, which can lead to Local File Interaction (LFI) and potential disclosure of sensitive system information through side-channel analysis of internal logs. Version 7.23.0 contains a fix.

Do I need to act?

-
0.03% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.5/10 Medium
NETWORK / LOW complexity

References (3)

https://github.com/Squidex/squidex/commit/b81d75e1d9c1a8e30993c2ee59b350002b9aed...
https://github.com/Squidex/squidex/security/advisories/GHSA-45fq-w37p-qfw5
https://github.com/Squidex/squidex/security/advisories/GHSA-45fq-w37p-qfw5
26
/ 100
low-risk
Severity 21/34 · High
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal