CVE-2026-41195 MEDIUM

CVE-2026-41195: mosparo: Rule package source URL stored SSRF enables internal HTTP probing

Vendor Mosparo

Product mosparo

Weakness CWE-918 · SSRF

Published May 12, 2026

Last update May 18, 2026

View on NVD All CVEs

CVSS base score

5.0/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality Low

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

What the vulnerability does

01Description

mosparo is the modern solution to protect your online forms from spam. Prior to 1.4.13, the automatic rule package source URL feature allows a project member with the editor role to store an attacker-controlled URL that the server later fetches. Because the server follows http/https redirects and does not restrict private or loopback destinations, this becomes a stored SSRF primitive that can be turned into an internal HTTP probing oracle. This vulnerability is fixed in 1.4.13.

Key dates

02Disclosure timeline

May 12, 2026 CVE published

May 18, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-41195

Related vulnerabilities

04Related CVE

CVE-2026-30953 LinkAce affected by SSRF via link creation: NoPrivateIpRule not applied to LinkStoreRequest CVE-2024-54385 WordPress Radio Player plugin <= 2.0.83 - Server Side Request Forgery (SSRF) vulnerability CVE-2024-13907 Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid <= 1.16.8 - Authenticated (Administrator+) Server-Side Request Forgery CVE-2026-44502 Bugsink: SSRF bypass in `validate_webhook_url` CVE-2024-53738 WordPress Asset CleanUp: Page Speed Booster plugin <=1.3.9.8 - Server Side Request Forgery (SSRF) vulnerability