CVE-2026-41461

HIGH SEVERITY

CVSS Score & Metrics

Base Score

8.5 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N                                    

Vulnerability Description

SocialEngine versions 7.8.0 and prior contain a blind server-side request forgery vulnerability in the /core/link/preview endpoint where user-supplied input passed via the uri request parameter is not sanitized before being used to construct outbound HTTP requests. Authenticated remote attackers can supply arbitrary URLs including internal network addresses and loopback addresses to cause the server to issue HTTP requests to attacker-controlled destinations, enabling internal network enumeration and access to services not intended to be externally reachable.

Vulnerability Details

Published Date

April 23, 2026

Last Modified

April 23, 2026

CWE ID

CWE-918

Source

NVD

Vendor

SocialEngine

Product

SocialEngine

External References

https://karmainsecurity.com/KIS-2026-07
https://socialengine.com
https://www.vulncheck.com/advisories/socialengine-blind-ssrf-via-core-link-preview

CVE-2026-41461

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment