CVE-2026-24736

Name of the Vulnerable Software and Affected Versions Squidex versions up to and including 7.21.0

Description Squidex is an open source headless content management system and content management hub. The url parameter within the webhook configuration in the Rules engine does not validate or restrict destination IP addresses, accepting local addresses like 127.0.0.1 or localhost. When a rule is triggered, the backend server makes an HTTP request to the user-supplied URL and logs the full HTTP response in the rule execution log (the lastDump field), accessible via the API. This transforms a "Blind" Server-Side Request Forgery (SSRF) into a "Full Read" SSRF, allowing access to the full HTTP response.

Recommendations Versions prior to 7.21.0 are affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.