CVE-2026-41461

SocialEngine versions 7.8.0 and prior contain a blind server-side request forgery vulnerability in the /core/link/preview endpoint where user-supplied input passed via the uri request parameter is not sanitized before being used to construct outbound HTTP requests. Authenticated remote attackers can supply arbitrary URLs including internal network addresses and loopback addresses to cause the server to issue HTTP requests to attacker-controlled destinations, enabling internal network enumeration and access to services not intended to be externally reachable.

CVSS v3 8.5 HIGH

8.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.1 / Impact : 4.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://karmainsecurity.com/KIS-2026-07	Third Party Advisory
https://socialengine.com	Product
https://www.vulncheck.com/advisories/socialengine-blind-ssrf-via-core-link-preview	Third Party Advisory
http://seclists.org/fulldisclosure/2026/Apr/11

Configurations

Configuration 1 (hide)

cpe:2.3:a:socialengine:socialengine:*:*:*:*:*:*:*:*

History

29 Apr 2026, 20:16

Type	Values Removed	Values Added
References		() http://seclists.org/fulldisclosure/2026/Apr/11 -

27 Apr 2026, 14:53

Type	Values Removed	Values Added
References	~~() https://karmainsecurity.com/KIS-2026-07 -~~	() https://karmainsecurity.com/KIS-2026-07 - Third Party Advisory
References	~~() https://socialengine.com -~~	() https://socialengine.com - Product
References	~~() https://www.vulncheck.com/advisories/socialengine-blind-ssrf-via-core-link-preview -~~	() https://www.vulncheck.com/advisories/socialengine-blind-ssrf-via-core-link-preview - Third Party Advisory
CPE		cpe:2.3:a:socialengine:socialengine::::::::
First Time		Socialengine Socialengine socialengine

23 Apr 2026, 18:16

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.5

23 Apr 2026, 15:37

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-23 15:37

Updated : 2026-04-29 20:16

NVD link : CVE-2026-41461

Mitre link : CVE-2026-41461

CVE.ORG link : CVE-2026-41461

JSON object : View

Products Affected

socialengine

socialengine

CWE

CWE-918

Server-Side Request Forgery (SSRF)

{"id": "CVE-2026-41461", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.7, "exploitabilityScore": 3.1}], "cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-04-23T15:37:24.683", "references": [{"url": "https://karmainsecurity.com/KIS-2026-07", "tags": ["Third Party Advisory"], "source": "disclosure@vulncheck.com"}, {"url": "https://socialengine.com", "tags": ["Product"], "source": "disclosure@vulncheck.com"}, {"url": "https://www.vulncheck.com/advisories/socialengine-blind-ssrf-via-core-link-preview", "tags": ["Third Party Advisory"], "source": "disclosure@vulncheck.com"}, {"url": "http://seclists.org/fulldisclosure/2026/Apr/11", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "SocialEngine versions 7.8.0 and prior contain a blind server-side request forgery vulnerability in the /core/link/preview endpoint where user-supplied input passed via the uri request parameter is not sanitized before being used to construct outbound HTTP requests. Authenticated remote attackers can supply arbitrary URLs including internal network addresses and loopback addresses to cause the server to issue HTTP requests to attacker-controlled destinations, enabling internal network enumeration and access to services not intended to be externally reachable."}], "lastModified": "2026-04-29T20:16:30.927", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:socialengine:socialengine:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6DA45DC7-D181-4DD5-929A-8EC5639C539B", "versionEndIncluding": "7.8.0"}], "operator": "OR"}]}], "sourceIdentifier": "disclosure@vulncheck.com"}