CVE-2026-25870

MEDIUM 5.8

DoraCMS <= 3.1 UEditor Remote Image Fetch SSRF

CVSS Score

5.8

EPSS Score

0.0%

EPSS Percentile

2th

DoraCMS version 3.1 and prior contains a server-side request forgery (SSRF) vulnerability in its UEditor remote image fetch functionality. The application accepts user-supplied URLs and performs server-side HTTP or HTTPS requests without sufficient validation or destination restrictions. The implementation does not enforce allowlists, block internal or private IP address ranges, or apply request timeouts or response size limits. An attacker can abuse this behavior to induce the server to issue outbound requests to arbitrary hosts, including internal network resources, potentially enabling internal network scanning and denial of service through resource exhaustion.

CWE	CWE-918
Vendor	doramart
Product	doracms
Published	Feb 10, 2026
Last Updated	Apr 7, 2026

Stay Ahead of the Next One

Get instant alerts for doramart doracms

Be the first to know when new medium vulnerabilities affecting doramart doracms are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

Low

Availability

None

Affected Versions

doramart / DoraCMS

0 ≤ 3.1.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/doramart/DoraCMS/issues/268 doracms.net: https://www.doracms.net/ vulncheck.com: https://www.vulncheck.com/advisories/doracms-ueditor-remote-image-fetch-ssrf

Credits

Lennon Chia