Server-Side Request Forgery Vulnerability in Squidex CMS by Squidex
CVE-2026-41171

7.3HIGH

Key Information:

Vendor: Squidex
Status: Squidex
Vendor: CVE Published:; 22 April 2026

What is CVE-2026-41171?

Squidex, an open source headless content management system, is vulnerable to Server-Side Request Forgery (SSRF) due to inadequate protection mechanisms in its scripting engine's HTTP client. An authenticated user with minimal permissions can exploit this vulnerability to make unauthorized outbound HTTP requests, potentially gaining access to internal services and sensitive cloud metadata. This could lead to credential exposure and allow attackers to navigate laterally within the network. The vulnerability was addressed in version 7.23.0 of Squidex.

Affected Version(s)

squidex < 7.23.0

References

https://github.com/Squidex/squidex/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/Squidex/squidex/commit/b81d75e1d9c1a8e...

x_refsource_MISC

CVSS V4

Score:

7.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 22, 2026
Vulnerability Reserved
Apr 17, 2026

CVE-2026-41171 Data

JSON