CVE-2026-41170

Name of the Vulnerable Software and Affected Versions Squidex versions prior to 7.23.0

Description The RestoreController.PostRestoreJob endpoint allows an administrator to provide an arbitrary URL for downloading backup archives. This URL is processed by the HttpClient without Server-Side Request Forgery (SSRF) protection, which is a flaw where a server is tricked into making requests to an unintended location. An authenticated administrator can exploit this to probe internal network services, access cloud metadata endpoints, or conduct internal reconnaissance.

Recommendations Update to version 7.23.0.