CVE-2026-41461

Name of the Vulnerable Software and Affected Versions SocialEngine versions prior to 7.8.1

Description A blind server-side request forgery exists in the "/core/link/preview" endpoint. The issue occurs because user-supplied input passed via the uri request parameter is not sanitized before being used to construct outbound HTTP requests. Authenticated remote attackers can provide arbitrary URLs, including internal network and loopback addresses, forcing the server to issue HTTP requests to attacker-controlled destinations. This allows for internal network enumeration and access to services not intended to be externally reachable.

Recommendations Update to a version later than 7.8.0. As a temporary workaround, restrict access to the "/core/link/preview" endpoint or avoid using the uri parameter until a patch is applied.