Server-Side Request Forgery in Open-WebSearch by Aas-ee
CVE-2026-42260

8.2HIGH

Key Information:

Vendor: Aas-ee
Status: Open-websearch
Vendor: CVE Published:; 12 May 2026

What is CVE-2026-42260?

Open-WebSearch, a multi-engine server for web search and content retrieval, has a vulnerability that affects its URL validation process. The issue arises in the methods isPublicHttpUrl and assertPublicHttpUrl, which fail to correctly handle bracketed IPv6 literals and do not resolve DNS queries properly. This flaw allows a malicious actor to exploit non-blind SSRF vulnerabilities, potentially exposing sensitive data returned in the response body. The issue affects versions released before 2.1.7 and has been addressed in the latest update.

Affected Version(s)

open-webSearch < 2.1.7

References

https://github.com/Aas-ee/open-webSearch/security/advisor...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2026
Vulnerability Reserved
Apr 26, 2026

CVE-2026-42260 Data

JSON