Medium

Blind SSRF in SocialEngine /core/link/preview

IdentifiersCVE-2026-41461CWE-918· Server-Side Request Forgery (SSRF)

CVE-2026-41461 is a blind server-side request forgery vulnerability in SocialEngine 7.8.0 and earlier. The flaw is in the /core/link/preview endpoint, where attacker-controlled input supplied via the uri request parameter is not properly sanitized before being used to construct an outbound HTTP request from the application server. Because the application fetches the supplied URL on behalf of the user, an authenticated remote attacker can cause the SocialEngine server to send requests to arbitrary destinations, including internal RFC1918 hosts, loopback addresses, and other services not directly exposed externally. Public reporting notes exploitation examples such as requesting http://localhost:3306/ through the vulnerable endpoint. The issue is characterized as blind SSRF because the attacker triggers server-side requests without necessarily receiving the full response body directly.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an authenticated attacker to use the SocialEngine server as a proxy for reaching internal or otherwise inaccessible network resources. This can enable internal network enumeration, probing of localhost and adjacent services, validation of reachable hosts and ports, and interaction with services not intended to be externally reachable. Depending on the environment, the attacker may gain access to sensitive metadata or internal application interfaces and may be able to chain the SSRF into further compromise. The supplied CVSS information indicates high confidentiality impact with limited integrity impact and no direct availability impact.

Mitigation

If you can’t patch tonight, do this now.

Until remediation is applied, restrict access to the vulnerable functionality to only trusted authenticated users where possible. Apply outbound egress filtering from the SocialEngine host to block access to internal address space, loopback, link-local, cloud metadata endpoints, and sensitive management networks. Enforce URL parsing and destination validation at the application or proxy layer, disable unnecessary server-side URL fetching features, and monitor for suspicious requests to /core/link/preview containing full URLs, localhost references, private IP literals, or unusual ports.

Remediation

Patch, then assume compromise.

Upgrade SocialEngine to version 8.0.0 or later. The provided context states that version 8.0.0, released on 2026-05-15, was verified by the reporter on 2026-05-19 to correctly fix the vulnerability. If upgrading is not possible, the vulnerable /core/link/preview functionality should be corrected so that the uri parameter is strictly validated against an allowlist of permitted schemes, hosts, and destinations, with explicit blocking of loopback, link-local, private-address, and other internal targets before any outbound request is issued.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

SocialengineSocialengineapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app

cvefeed high severityNews

Apr 23, 2026

CVE-2026-41461 - SocialEngine <= 7.8.0 Blind SSRF via /core/link/preview

A blind server-side request forgery vulnerability in SocialEngine /core/link/preview affecting versions 7.8.0 and prior, allowing authenticated remote attackers to trigger outbound HTTP requests to arbitrary URLs, including internal and loopback addresses, enabling internal network enumeration and access to otherwise non-exposed services.

karmainsecurityNews

Feb 27, 2026

SocialEngine <= 7.8.0 Blind Server-Side Request Forgery Vulnerability | Karma(In)Security

A blind SSRF vulnerability in SocialEngine's /core/link/preview endpoint caused by improper sanitization of the uri parameter, allowing remote authenticated attackers to induce server-side HTTP requests.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity4

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-41461

NVD

nvd.nist.gov/vuln/detail/CVE-2026-41461

MITRE CWE · CWE-918

Server-Side Request Forgery (SSRF)

Third Party Advisory

karmainsecurity.com/KIS-2026-07

Third Party Advisory

vulncheck.com/advisories/socialengine-blind-ssrf-via-core-link-preview

seclists.org

seclists.org/fulldisclosure/2026/Apr/11

Product

socialengine.com