Blind Server-Side Request Forgery in SocialEngine by SocialEngine
CVE-2026-41461

6.3MEDIUM

Key Information:

Vendor

Socialengine

Status
Socialengine
Vendor
CVE Published:
23 April 2026

What is CVE-2026-41461?

SocialEngine versions 7.8.0 and earlier are vulnerable to a blind server-side request forgery (SSRF) due to insufficient input sanitization in the /core/link/preview endpoint. This vulnerability allows authenticated remote attackers to inject arbitrary URLs, including internal and loopback addresses, facilitating unauthorized outbound HTTP requests to attacker-controlled sites. As a result, this can lead to internal network enumeration, potentially exposing sensitive services that should remain inaccessible from external networks.

Affected Version(s)

SocialEngine 0 <= 7.8.0

References

https://karmainsecurity.com/KIS-2026-07
technical-description
https://socialengine.com
product
https://www.vulncheck.com/advisories/socialengine-blind-s...
third-party-advisory

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Egidio Romano
.