Server-Side Request Forgery Vulnerability in Simple Machines Forum
CVE-2026-61520
6.3MEDIUM
What is CVE-2026-61520?
A vulnerability exists in Simple Machines Forum that allows authenticated attackers to exploit a server-side request forgery (SSRF) in the image proxy. By embedding URLs in BBCode image tags, attackers can trigger internal HTTP requests because the proxy does not validate destination IP addresses against private address spaces. This flaw can lead to exposure of internal services, including cloud instance metadata and internal applications, enabling unauthorized access to sensitive information.
Affected Version(s)
SMF 2.1.0
SMF 2.1.0 < 2.1.7
SMF b4d23dfd74a511587c605f9d294cefc3a75b4b26
