Vulnerability Description
DoraCMS version 3.1 and prior contains a server-side request forgery (SSRF) vulnerability in its UEditor remote image fetch functionality. The application accepts user-supplied URLs and performs server-side HTTP or HTTPS requests without sufficient validation or destination restrictions. The implementation does not enforce allowlists, block internal or private IP address ranges, or apply request timeouts or response size limits. An attacker can abuse this behavior to induce the server to issue outbound requests to arbitrary hosts, including internal network resources, potentially enabling internal network scanning and denial of service through resource exhaustion.
CVSS Score
MEDIUM
Related Weaknesses (CWE)
References
- https://github.com/doramart/DoraCMS/issues/268
- https://www.doracms.net/
- https://www.vulncheck.com/advisories/doracms-ueditor-remote-image-fetch-ssrf
- https://github.com/doramart/DoraCMS/issues/268
FAQ
What is CVE-2026-25870?
CVE-2026-25870 is a vulnerability with a CVSS score of 5.8 (MEDIUM). DoraCMS version 3.1 and prior contains a server-side request forgery (SSRF) vulnerability in its UEditor remote image fetch functionality. The application accepts user-supplied URLs and performs serve...
How severe is CVE-2026-25870?
CVE-2026-25870 has been rated MEDIUM with a CVSS base score of 5.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-25870?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.