← Back
2026-05-12 21:24CVE-2026-41195GitHub_M
PUBLISHED5.2CWE-918

mosparo: Rule package source URL stored SSRF enables internal HTTP probing

mosparo is the modern solution to protect your online forms from spam. Prior to 1.4.13, the automatic rule package source URL feature allows a project member with the editor role to store an attacker-controlled URL that the server later fetches. Because the server follows http/https redirects and does not restrict private or loopback destinations, this becomes a stored SSRF primitive that can be turned into an internal HTTP probing oracle. This vulnerability is fixed in 1.4.13.

Problem type

Affected products

mosparo

mosparo

< 1.4.13 - AFFECTED

References

https://github.com/mosparo/mosparo/security/advisories/GHSA-92fh-26qf-r8rg

https://github.com/mosparo/mosparo/security/advisories/GHSA-92fh-26qf-r8rg

x_refsource_CONFIRM

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-41195
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-41195",
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "dateUpdated": "2026-05-12T21:24:35.643Z",
    "dateReserved": "2026-04-18T02:51:52.973Z",
    "datePublished": "2026-05-12T21:24:35.643Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M",
        "dateUpdated": "2026-05-12T21:24:35.643Z"
      },
      "title": "mosparo: Rule package source URL stored SSRF enables internal HTTP probing",
      "descriptions": [
        {
          "lang": "en",
          "value": "mosparo is the modern solution to protect your online forms from spam. Prior to 1.4.13, the automatic rule package source URL feature allows a project member with the editor role to store an attacker-controlled URL that the server later fetches. Because the server follows http/https redirects and does not restrict private or loopback destinations, this becomes a stored SSRF primitive that can be turned into an internal HTTP probing oracle. This vulnerability is fixed in 1.4.13."
        }
      ],
      "affected": [
        {
          "vendor": "mosparo",
          "product": "mosparo",
          "versions": [
            {
              "version": "< 1.4.13",
              "status": "affected"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "CWE-918: Server-Side Request Forgery (SSRF)",
              "cweId": "CWE-918",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://github.com/mosparo/mosparo/security/advisories/GHSA-92fh-26qf-r8rg",
          "name": "https://github.com/mosparo/mosparo/security/advisories/GHSA-92fh-26qf-r8rg",
          "tags": [
            "x_refsource_CONFIRM"
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
            "attackVector": "NETWORK",
            "attackComplexity": "LOW",
            "privilegesRequired": "LOW",
            "userInteraction": "NONE",
            "scope": "CHANGED",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 5,
            "baseSeverity": "MEDIUM"
          }
        }
      ]
    }
  }
}