CVE-2026-25870
MEDIUMDoraCMS < 3.1 - Server-Side Request Forgery via UEditor Remote Image Fetch
Title source: llmDescription
DoraCMS version 3.1 and prior contains a server-side request forgery (SSRF) vulnerability in its UEditor remote image fetch functionality. The application accepts user-supplied URLs and performs server-side HTTP or HTTPS requests without sufficient validation or destination restrictions. The implementation does not enforce allowlists, block internal or private IP address ranges, or apply request timeouts or response size limits. An attacker can abuse this behavior to induce the server to issue outbound requests to arbitrary hosts, including internal network resources, potentially enabling internal network scanning and denial of service through resource exhaustion.
References (3)
Core 3
Core References
Issue Tracking issue-tracking
https://github.com/doramart/DoraCMS/issues/268
Various Sources product
https://www.doracms.net/
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/doracms-ueditor-remote-image-fetch-ssrf
Scores
CVSS v3
5.8
EPSS
0.0030
EPSS Percentile
21.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-918
Status
published
Products (2)
doramart/DoraCMS
< 3.1
doramart/DoraCMS
< 3.1.0
Published
Feb 10, 2026
Tracked Since
Feb 18, 2026