CVE-2026-25870 MEDIUM

CVE-2026-25870: DoraCMS <= 3.1 UEditor Remote Image Fetch SSRF

Vendor Doramart
Product DoraCMS
Weakness CWE-918 · SSRF
Published February 10, 2026
Last update April 7, 2026
View on NVD All CVEs

CVSS base score

6.9/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L

What the vulnerability does

01Description

DoraCMS version 3.1 and prior contains a server-side request forgery (SSRF) vulnerability in its UEditor remote image fetch functionality. The application accepts user-supplied URLs and performs server-side HTTP or HTTPS requests without sufficient validation or destination restrictions. The implementation does not enforce allowlists, block internal or private IP address ranges, or apply request timeouts or response size limits. An attacker can abuse this behavior to induce the server to issue outbound requests to arbitrary hosts, including internal network resources, potentially enabling internal network scanning and denial of service through resource exhaustion.

Key dates

02Disclosure timeline

February 10, 2026 CVE published
April 7, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-13999 HTML5 Audio Player – The Ultimate No-Code Podcast, MP3 & Audio Player 2.4.0 - 2.5.1 - Unauthenticated Server-Side Request Forgery CVE-2025-22346 WordPress Course Migration for LearnDash plugin 1.0.2 - Server Side Request Forgery (SSRF) vulnerability CVE-2025-3572 INTUMIT SmartRobot - Server-Side Request Forgery CVE-2026-8193 Akaunting Invoice PDF Rendering dompdf.php server-side request forgery CVE-2022-39211 Server-Side Request Forgery (SSRF) via potential filter bypass in Nextcloud Server