CVE-2025-63551
HIGHMetInfo < 8.1 - Server-Side Request Forgery via XML External Entity Injection
Title source: llmDescription
A Server-Side Request Forgery (SSRF) vulnerability, achievable through an XML External Entity (XXE) injection, exists in MetInfo Content Management System (CMS) thru 8.1. This flaw stems from a defect in the XML parsing logic, which allows an attacker to construct a malicious XML entity that forces the server to initiate an HTTP request to an arbitrary internal or external network address. Successful exploitation could lead to internal network reconnaissance, port scanning, or the retrieval of sensitive information. The vulnerability may be present in the backend API called by or associated with the path `/admin/#/webset/?head_tab_active=0`, where user-provided XML data is processed.
References (2)
Core 2
Core References
Exploit, Third Party Advisory
https://github.com/sh4ll0t/SSRF-Vulnerability-in-MetInfo-via-XXE-Injection
Exploit, Third Party Advisory
https://github.com/sh4ll0t/SSRF-Vulnerability-in-MetInfo-via-XXE-Injection/blob/main/README.md
Scores
CVSS v3
7.5
EPSS
0.0041
EPSS Percentile
32.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-611
CWE-918
Status
published
Products (1)
metinfo/metinfo
< 8.1
Published
Nov 06, 2025
Tracked Since
Feb 18, 2026