SocialEngine Blind SSRF in `/core/link/preview` Fixed in Version 8.0.0
A public advisory disclosed CVE-2026-41461, a blind server-side request forgery flaw in SocialEngine affecting 7.8.0, 7.7.0, and likely earlier versions. The vulnerability stems from improper sanitization of the uri parameter in the /core/link/preview endpoint, allowing an authenticated remote attacker to make the SocialEngine server issue HTTP requests to internal or arbitrary destinations, including localhost-accessible services. The issue was discovered by Egidio Romano.
The vendor was notified in February 2026, but the flaw remained present in SocialEngine 7.8.0 and no official fix was available at the time of public disclosure after the 60-day window. SocialEngine later released version 8.0.0, and the researcher confirmed that release properly remediated the SSRF issue. The disclosure indicates the bug could be abused for internal network reachability and server-side request pivoting from authenticated accounts.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Reporter confirms SocialEngine 8.0.0 fixes CVE-2026-41461
On verification, Egidio Romano confirmed that SocialEngine 8.0.0 properly remediated the blind SSRF vulnerability tracked as CVE-2026-41461.
SocialEngine 8.0.0 is released
SocialEngine released version 8.0.0 following the public disclosure of the SSRF issue. This release was later confirmed by the reporter to address the vulnerability.
Blind SSRF vulnerability in SocialEngine is publicly disclosed
After the 60-day disclosure window, the SSRF issue was publicly disclosed, with no official patch or workaround available at that time. The advisory said authenticated attackers could force the server to send requests to internal or arbitrary destinations.
SocialEngine 7.8.0 releases without fixing the SSRF flaw
SocialEngine released version 7.8.0, but the blind SSRF vulnerability remained present. The flaw involved insufficient sanitization of the /core/link/preview endpoint's uri parameter.
Researcher notifies SocialEngine of SSRF vulnerability
Egidio Romano reported a blind server-side request forgery flaw in SocialEngine to the vendor. The issue affected version 7.7.0, likely earlier releases, and was later assigned CVE-2026-41461.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
SocialEngine <= 7.8.0 Blind Server-Side Request Forgery Vulnerability | Karma(In)Security
karmainsecurity.com
Open sourceFull Disclosure: [KIS-2026-07] SocialEngine <= 7.8.0 Blind Server-Side Request Forgery Vulnerability
seclists.org
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Angular SSR Flaw Enables SSRF via Malformed URLs in Server-Side Rendering
Angular disclosed a **server-side request forgery (SSRF)** issue in `@angular/platform-server` that affects applications using Server-Side Rendering. The flaw, tracked as `CVE-2026-41423`, stems from improper handling of protocol-relative and backslash-based URLs passed from server engines such as Express into Angular rendering functions. A crafted request can cause Angular to treat an attacker-controlled domain as the application's origin, allowing relative `HttpClient` requests and `PlatformLocation.hostname` references to resolve to external infrastructure. The issue can expose internal services, including private APIs and cloud metadata endpoints, and related advisory material also links the bug family to **header injection** risks in Angular SSR deployments. Angular fixed the vulnerability in versions `19.2.21`, `20.3.19`, `21.2.9`, and `22.0.0-next.8`, leaving earlier releases vulnerable where SSR is enabled and untrusted request paths can influence rendering context.
May 28, 2026
OpenEMR Flaws Expose Patient Search to SQL Injection and Eye Exam Forms to Stored XSS
OpenEMR disclosed two high-severity vulnerabilities affecting versions prior to **8.0.0.3**, including an authenticated blind boolean-based SQL injection tracked as `CVE-2026-29187` and a stored cross-site scripting flaw tracked as `CVE-2026-33348`. The SQL injection issue resides in the Patient Search component at `/interface/new/new_search_popup.php` and can be triggered by manipulating HTTP parameter keys rather than values, allowing a low-privileged authenticated attacker to target sensitive data and application integrity without user interaction. The second flaw affects the Eye Exam form workflow, where a user with the **`Notes - my encounters`** role can inject malicious JavaScript into form answers such as `$CHRONIC2` and `$CHRONIC3`. That payload is later executed when users with the same role view the encounter page or visit history, creating a stored XSS path inside the clinical workflow. Both issues were assigned on March 25, 2026, mapped to **CWE-89** and **CWE-79** respectively, and were patched in **OpenEMR 8.0.0.3**, with fixes published through the project release, commit history, and security advisory.
Mar 26, 2026
Apache Fesod SSRF Flaw in UrlImageConverter Patched
Apache disclosed **CVE-2026-49328**, an important-severity server-side request forgery (**SSRF**) vulnerability in Apache Fesod (Incubating) affecting the `fesod-sheet` package before version `2.0.2-incubating`. The flaw resides in the `UrlImageConverter` component, where improper validation of user-supplied image URLs can cause the server to make outbound requests to internal or otherwise restricted resources. The issue was reported by Xu Han and is tracked in Apache Fesod issue or pull request `#917`. The vulnerability could let attackers probe enterprise backend systems or private cloud endpoints that are not directly exposed to the internet, increasing the risk of internal network access and information exposure. Apache has released **version `2.0.2-incubating`** to remediate the bug with stricter validation of user-supplied parameters, and defenders are being urged to upgrade promptly; where immediate patching is not possible, restricting unusual outbound server connections can help reduce exposure.
Jun 2, 2026