CVE-2025-10695 MEDIUM

CVE-2025-10695: OpenSupports 4.11.0 — SSRF via test imap and smtp endpoints

Vendor Opensupports

Product OpenSupports

Weakness CWE-918 · SSRF

Published October 3, 2025

Last update October 6, 2025

View on NVD All CVEs

CVSS base score

6.9/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Two unauthenticated diagnostic endpoints allow arbitrary backend-initiated network connections to an attacker‑supplied destination. Both endpoints are exposed with permission => 'any', enabling unauthenticated SSRF for internal network scanning and service interaction. This issue affects OpenSupports: 4.11.0.

Key dates

02Disclosure timeline

October 3, 2025 CVE published

October 6, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-10695

Related vulnerabilities

04Related CVE

CVE-2026-40999 Spring WS SSRF via unvalidated WS-Addressing reply destinations CVE-2024-13360 AI Power: Complete AI Pack <= 1.8.96 - Authenticated (Subscriber+) Server-Side Request Forgery CVE-2024-13856 Make Builder <= 1.1.10 - Authenticated (Subscriber+) Server-Side Request Forgery via make_builder_ajax_subscribe Function CVE-2025-53241 WordPress Simplified plugin <= 1.0.11 - Server Side Request Forgery (SSRF) vulnerability CVE-2025-14008 dayrui XunRuiCMS Project Domain Change Test admin79f2ec220c7e.php server-side request forgery