CVE-2025-59055
- Source
- https://cve.org/CVERecord?id=CVE-2025-59055
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-59055.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-59055
- Aliases
-
- GHSA-79hh-mhvg-whrw
- Published
- 2025-09-11T18:46:29.139Z
- Modified
- 2026-04-10T05:31:45.949267Z
- Severity
-
- 4.7 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
- Summary
- InstantCMS vulnerable to Server-Side Request Forgery via package installer
- Details
-
InstantCMS is a free and open source content management system. A blind Server-Side Request Forgery (SSRF) vulnerability in InstantCMS up to and including 2.17.3 allows authenticated remote attackers to make nay HTTP/HTTPS request via the package parameter. It is possible to make any HTTP/HTTPS request to any website in installer functionality. Due to such vulnerability it is possible to for example scan local network, call local services and its functions, conduct a DoS attack, and/or disclose a server's real IP if it's behind a reverse proxy. It is also possible to exhaust server resources by sending plethora of such requests. As of time of publication, no patched releases are available.
- Database specific
{ "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-918" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/59xxx/CVE-2025-59055.json" }- References
Affected packages
Git / github.com/instantsoft/icms2
Affected ranges
- Type
- GIT
- Repo
- https://github.com/instantsoft/icms2
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed