CVE-2026-24736

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-24736
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-24736.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-24736
Aliases
  • GHSA-wxg2-953m-fg2w
Published
2026-01-27T20:54:51.489Z
Modified
2026-03-10T14:47:27.321404Z
Severity
  • 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
Squidex has Server-Side Request Forgery (SSRF) Issue in Webhook Configuration
Details

Squidex is an open source headless content management system and content management hub. Versions of the application up to and including 7.21.0 allow users to define "Webhooks" as actions within the Rules engine. The url parameter in the webhook configuration does not appear to validate or restrict destination IP addresses. It accepts local addresses such as 127.0.0.1 or localhost. When a rule is triggered (Either manual trigger by manually calling the trigger endpoint or by a content update or any other triggers), the backend server executes an HTTP request to the user-supplied URL. Crucially, the server logs the full HTTP response in the rule execution log (lastDump field), which is accessible via the API. Which turns a "Blind" SSRF into a "Full Read" SSRF. As of time of publication, no patched versions are available.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-918"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/24xxx/CVE-2026-24736.json"
}
References

Affected packages

Git / github.com/squidex/squidex

Affected ranges

Type
GIT
Repo
https://github.com/squidex/squidex
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
69d1d1ac849e9b938c5b15304c36ea57ecc6c7ac
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "7.21.0"
        }
    ]
}

Affected versions

17.*
17.4.0
3.*
3.0.0
3.0.0-beta2
3.0.0-beta3
3.1.0
3.2.0
3.2.1
3.2.2
3.3.0
3.4.0
3.5.0
4.*
4.0.0
4.0.0-beta1
4.0.1
4.0.2
4.0.3
4.1.0
4.1.0-beta1
4.1.0-rc
4.1.1
4.1.2
4.1.3
4.2.0
4.2.0-beta1
4.2.0-beta2
4.3.0
4.4.0
4.4.0-rc
4.5.0
4.5.1
4.6.0
4.7.0
4.7.1
4.7.2
4.7.3
4.7.4
4.7.5
4.7.6
5.*
5.0.0
5.0.0-beta1
5.0.0-beta2
5.1.0
5.1.1
5.2.0
5.2.1
5.3.0
5.4.0
5.5.0
5.6.0
5.7.0
5.8.0
5.8.1
5.8.2
5.9.0
6.*
6.0.0
6.0.1
6.1.0
6.10.0
6.11.0
6.12.0
6.13.0
6.14.0
6.2.0
6.3.0
6.4.0
6.5.0
6.6.0
6.7.0
6.8.0
6.9.0
7.*
7.0.0
7.0.0-rc1
7.0.0-rc2
7.0.0-rc3
7.0.1
7.0.2
7.0.3
7.1.0
7.10.0
7.11.0
7.12.0
7.13.0
7.14.0
7.15.0
7.16.0
7.17.0
7.19.0
7.2.0
7.20.0
7.21.0
7.3.0
7.4.0
7.5.0
7.6.0
7.6.1
7.7.0
7.8.0
7.8.1
7.8.2
7.9.0
v1.*
v1.0
v1.0-beta1
v1.0-beta2
v1.0-beta3
v1.1
v1.1.1
v1.1.2
v1.1.3
v1.1.4
v1.1.5
v1.1.6
v1.1.7
v1.10.0
v1.11.0
v1.12.0
v1.13.0
v1.14.0
v1.15.0
v1.16.0
v1.16.1
v1.16.2
v1.2.0
v1.3.0
v1.3.1
v1.4.0
v1.4.1
v1.6.0
v1.6.1
v1.6.2
v1.6.3
v1.7.0
v1.8.0
v1.9.0
v2.*
v2.0
v2.0-RC1
v2.0-beta1
v2.0.1
v2.0.2
v2.0.3
v2.0.4
v2.0.5
v2.1.0
v2.2.0
v2.2.1
v3.*
v3.0-beta1

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-24736.json"