CVE-2026-41171

UNKNOWN 0.0

SSRF via Jint Scripting Engine HTTP Functions Due to Missing SSRF Protection on "Jint" HttpClient

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Squidex is an open source headless content management system and content management hub. Versions prior to 7.23.0 have a Server-Side Request Forgery (SSRF) vulnerability due to missing SSRF protection on the `Jint` HTTP client used by scripting engine functions (`getJSON`, `request`, etc.). An authenticated user with low privileges (e.g., schema editing permissions) can force the server to make arbitrary outbound HTTP requests to attacker-controlled or internal endpoints. This allows access to internal services and cloud metadata endpoints (e.g., IMDS), potentially leading to credential exposure and lateral movement. Version 7.23.0 contains a fix.

CWE	CWE-918
Vendor	squidex
Product	squidex
Published	Apr 22, 2026
Last Updated	Apr 22, 2026

Stay Ahead of the Next One

Get instant alerts for squidex squidex

Be the first to know when new unknown vulnerabilities affecting squidex squidex are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Squidex / squidex

< 7.23.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/Squidex/squidex/security/advisories/GHSA-4m22-gvqm-jv97 github.com: https://github.com/Squidex/squidex/commit/b81d75e1d9c1a8e30993c2ee59b350002b9aeda4