CVE-2026-40500

Name of the Vulnerable Software and Affected Versions ProcessWire CMS versions prior to 3.0.256

Description The admin panel's 'Add Module From URL' feature contains a server-side request forgery (SSRF) issue. This occurs when authenticated administrators provide arbitrary URLs to the module download parameter, leading the server to send outbound HTTP requests to internal or external hosts. By analyzing differentiable error messages, an attacker can perform internal network port scanning, host enumeration across RFC-1918 ranges (private IP address spaces), and potentially access cloud instance metadata endpoints.

Recommendations Update to a version newer than 3.0.255.