CVE-2026-41171

Name of the Vulnerable Software and Affected Versions Squidex versions prior to 7.23.0

Description An issue exists in the scripting engine functions, such as getJSON() and request(), due to missing Server-Side Request Forgery (SSRF) protection on the Jint HTTP client. SSRF is a flaw that allows an attacker to induce the server-side application to make requests to an unintended location. An authenticated user with low privileges, such as schema editing permissions, can force the server to make arbitrary outbound HTTP requests to internal endpoints or attacker-controlled servers. This can lead to unauthorized access to internal services and cloud metadata endpoints, such as the Instance Metadata Service (IMDS), potentially resulting in credential exposure and lateral movement within the network.

Recommendations Update to version 7.23.0.