CVE-2026-7025

Name of the Vulnerable Software and Affected Versions Typecho versions prior to 1.3.1

Description An issue exists in the Ping Back Service Endpoint within the Service::sendPingHandle() function of the var/Widget/Service.php file. Remote attackers can trigger server-side request forgery (SSRF)—a flaw where the server is coerced into making unintended requests—by manipulating the X-Pingback/link argument.

Recommendations Update to a version later than 1.3.0. As a temporary workaround, restrict access to the Ping Back Service Endpoint or the Service::sendPingHandle() function to minimize the risk of exploitation.