Server-Side Request Forgery Vulnerability in Apache Fesod
CVE-2026-49328

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Fesod (incubating)
Vendor: CVE Published:; 1 June 2026

What is CVE-2026-49328?

The vulnerability in the UrlImageConverter component of Apache Fesod before version 2.0.2-incubating allows attackers to exploit server-side request forgery. By supplying a malicious image URL, an attacker could trigger outbound network requests to internal or otherwise restricted resources, creating potential exposure to sensitive data. Users are encouraged to update to version 2.0.2-incubating to mitigate this risk.

Affected Version(s)

Apache Fesod (Incubating) 0 < 2.0.2-incubating

References

https://github.com/apache/fesod/pull/917

patch

https://github.com/apache/fesod/releases/tag/2.0.2-incuba...

release-notes

https://fesod.apache.org/docs/download

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 1, 2026
Vulnerability Reserved
May 29, 2026

Credit

Xu Han

CVE-2026-49328 Data

JSON