Apache Fesod SSRF Flaw in UrlImageConverter Patched
Apache disclosed CVE-2026-49328, an important-severity server-side request forgery (SSRF) vulnerability in Apache Fesod (Incubating) affecting the fesod-sheet package before version 2.0.2-incubating. The flaw resides in the UrlImageConverter component, where improper validation of user-supplied image URLs can cause the server to make outbound requests to internal or otherwise restricted resources. The issue was reported by Xu Han and is tracked in Apache Fesod issue or pull request #917.
The vulnerability could let attackers probe enterprise backend systems or private cloud endpoints that are not directly exposed to the internet, increasing the risk of internal network access and information exposure. Apache has released version 2.0.2-incubating to remediate the bug with stricter validation of user-supplied parameters, and defenders are being urged to upgrade promptly; where immediate patching is not possible, restricting unusual outbound server connections can help reduce exposure.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Apache releases Fesod 2.0.2-incubating to fix CVE-2026-49328
Apache maintainers released version 2.0.2-incubating to remediate CVE-2026-49328 by tightening validation of user-supplied parameters in the affected component. Apache recommended upgrading to this version to address the SSRF issue.
Apache Fesod SSRF vulnerability CVE-2026-49328 disclosed
Apache disclosed CVE-2026-49328, an important-severity server-side request forgery flaw in the UrlImageConverter component of the fesod-sheet package affecting versions before 2.0.2-incubating. The issue can cause outbound requests to internal or otherwise restricted resources via improperly validated user-supplied image URLs.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Apache Fory Deserialization Flaw Lets Attackers Bypass Java Safety Checks
Apache disclosed **CVE-2026-50076**, an important- to high-severity deserialization vulnerability in the Java SDK of Apache Fory that affects `org.apache.fory:fory-core` versions before `1.1.0`. The flaw lies in the Java `ReplaceResolverSerializer` replace-resolve path, where incomplete verification allows crafted Fory serialized data to bypass class registration requirements, `TypeChecker` enforcement, and `DisallowedList` protections during deserialization. If an application processes untrusted external data streams, a remote attacker can trigger classpath-present `readResolve` and `readExternal` hooks on Java/JVM systems, creating a path to unauthorized code execution on backend servers. Apache fixed the issue in version `1.1.0` by adding stricter sanitization checks before deserialization and advised users to upgrade immediately and review deployments that deserialize externally supplied data; the vulnerability was reported by Venkatraman Kumar (**r3dw0lfsec**) of Securin.
Jun 4, 2026
XXE Flaws in GeoServer WFS and Apache CXF Expose Servers to SSRF and Data Leakage
GeoServer and Apache CXF disclosed separate XML External Entity vulnerabilities that could let attackers abuse unsafe XML parsing to access sensitive resources. In GeoServer, **CVE-2025-30220** affects the Web Feature Service (`WFS`) through the GeoTools library, where in-memory XSD schema processing does not enforce GeoServer’s `ENTITY_RESOLUTION_ALLOWLIST` restriction. The flaw can enable **information disclosure** and **server-side request forgery (SSRF)** via malicious XML containing external entities or DTDs, with affected GeoServer versions including `2.27.0`, `2.26.0` through `2.26.2`, and versions up to `2.25.6`. Apache also disclosed **CVE-2026-44618**, an important-severity XXE flaw in the WS-Transfer functionality of Apache CXF caused by an insecure XML parser configuration. Affected versions include `org.apache.cxf:cxf-rt-ws-transfer` `4.2.0` before `4.2.1`, `4.0.0` before `4.1.6`, and all `3.6.x` releases before `3.6.11`. Vendors urged organizations to upgrade to fixed releases immediately; where GeoServer patching is delayed, defenders were advised to restrict access to `WFS` endpoints and monitor for suspicious XML requests and outbound activity consistent with SSRF attempts.
May 25, 2026
Apache HTTP Server fixes HTTP/2 double-free flaw with possible RCE
The Apache Software Foundation released **Apache HTTP Server 2.4.67** to fix five vulnerabilities, led by **`CVE-2026-23918`**, an important- to high-severity flaw in the HTTP/2 implementation. Apache said the bug is a **double free** triggered by an early reset that could lead to **remote code execution**, and that it affects **version 2.4.66**. The issue was reported in December 2025 and fixed shortly afterward, with public disclosure following on the `oss-sec` mailing list; Bartlomiej Dmitruk of striga.ai and Stanislaw Strzalkowski of isec.pl were credited with finding it. The 2.4.67 release also patches **`CVE-2026-24072`** in `mod_rewrite`, which can allow local `.htaccess` authors to read arbitrary files as the `httpd` user, along with lower-severity issues in `mod_proxy_ajp`, `mod_md`, and `mod_dav_lock`. Apache and downstream reporting urged organizations running **2.4.66 or earlier** to upgrade immediately, while temporary mitigations for environments that cannot patch at once include disabling **HTTP/2**, removing `mod_dav_lock`, and reviewing `.htaccess` permissions.
May 8, 2026