CVE-2026-49328
Apache Fesod (Incubating): Improper validation of user-supplied URLs leading to SSRF
CVSS Score
5.3
EPSS Score
0.0%
EPSS Percentile
4th
Server-Side Request Forgery (SSRF) in the UrlImageConverter component of Apache Fesod (Incubating) fesod-sheet before 2.0.2-incubating allows attackers to cause outbound network requests to internal or otherwise restricted resources via a user-supplied image URL. Users are recommended to upgrade to version 2.0.2-incubating, which fixes this issue.
| CWE | CWE-918 |
| Vendor | apache software foundation |
| Product | apache fesod (incubating) |
| Published | Jun 1, 2026 |
| Last Updated | Jun 1, 2026 |
Stay Ahead of the Next One
Get instant alerts for apache software foundation apache fesod (incubating)
Be the first to know when new medium vulnerabilities affecting apache software foundation apache fesod (incubating) are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
Apache Software Foundation / Apache Fesod (Incubating)
0 < 2.0.2-incubating
References
github.com: https://github.com/apache/fesod/pull/917 github.com: https://github.com/apache/fesod/releases/tag/2.0.2-incubating fesod.apache.org: https://fesod.apache.org/docs/download lists.apache.org: https://lists.apache.org/thread/c1pb5b66h02p9tlrnfbwcgcz85v16fkj openwall.com: http://www.openwall.com/lists/oss-security/2026/06/01/4
Credits
Xu Han