CVE-2026-41177 MEDIUM

CVE-2026-41177: Squidex has Blind SSRF via file:// Protocol in Restore API leading to Local File Interaction

Vendor Squidex
Product squidex
Weakness CWE-73
Published April 22, 2026
Last update April 23, 2026

CVSS base score

5.5/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L

What the vulnerability does

01Description

Squidex is an open source headless content management system and content management hub. Prior to version 7.23.0, the Squidex Restore API is vulnerable to Blind Server-Side Request Forgery (SSRF). The application fails to validate the URI scheme of the user-supplied `Url` parameter, allowing the use of the `file://` protocol. This allows an authenticated administrator to force the backend server to interact with the local filesystem, which can lead to Local File Interaction (LFI) and potential disclosure of sensitive system information through side-channel analysis of internal logs. Version 7.23.0 contains a fix.

Key dates

02Disclosure timeline

April 22, 2026 CVE published
April 23, 2026 Record updated