CVE-2026-25870
MediumCVSS 5.8Exploitation Probability (EPSS)
Low risk22th percentile - higher than 22% of all known CVEs
Summary
DoraCMS version 3.1 and prior contains a server-side request forgery (SSRF) vulnerability in its UEditor remote image fetch functionality. The application accepts user-supplied URLs and performs server-side HTTP or HTTPS requests without sufficient validation or destination restrictions. The implementation does not enforce allowlists, block internal or private IP address ranges, or apply request timeouts or response size limits.
Risk Assessment
An attacker can exploit this vulnerability to scan the organization's internal network and perform a Denial of Service (DoS) attack by exhausting server resources. This could lead to disclosure of internal infrastructure information and disruption of services.
Recommendation
Immediately update DoraCMS to a version newer than 3.1 if available, or apply temporary mitigations such as restricting access to the remote image fetch functionality and implementing IP allowlists and request timeouts.
Original NVD description (English source)
DoraCMS version 3.1 and prior contains a server-side request forgery (SSRF) vulnerability in its UEditor remote image fetch functionality. The application accepts user-supplied URLs and performs server-side HTTP or HTTPS requests without sufficient validation or destination restrictions. The implementation does not enforce allowlists, block internal or private IP address ranges, or apply request timeouts or response size limits. An attacker can abuse this behavior to induce the server to issue outbound requests to arbitrary hosts, including internal network resources, potentially enabling internal network scanning and denial of service through resource exhaustion.

