CVE-2026-7291

MEDIUM 6.3

o2oa URL Fetching FileAction.java FileAction server-side request forgery

CVSS Score

6.3

EPSS Score

0.0%

EPSS Percentile

0th

A weakness has been identified in o2oa up to 10.0. This affects the function FileAction of the file FileAction.java of the component URL Fetching. Executing a manipulation of the argument fileUrl can lead to server-side request forgery. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

CWE	CWE-918
Vendor	n/a
Product	o2oa
Published	Apr 28, 2026

Stay Ahead of the Next One

Get instant alerts for n/a o2oa

Be the first to know when new medium vulnerabilities affecting n/a o2oa are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

n/a / o2oa

10.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

vuldb.com: https://vuldb.com/vuln/359951 vuldb.com: https://vuldb.com/vuln/359951/cti vuldb.com: https://vuldb.com/submit/803073 github.com: https://github.com/o2oa/o2oa/issues/195 github.com: https://github.com/o2oa/o2oa/

Credits

🔍 larlarua (VulDB User) VulDB CNA Team