CVE-2026-41195— mosparo: Rule package source URL stored SSRF enables internal HTTP probing

mosparo: Rule package source URL stored SSRF enables internal HTTP probing

mosparo is the modern solution to protect your online forms from spam. Prior to 1.4.13, the automatic rule package source URL feature allows a project member with the editor role to store an attacker-controlled URL that the server later fetches. Because the server follows http/https redirects and does not restrict private or loopback destinations, this becomes a stored SSRF primitive that can be turned into an internal HTTP probing oracle. This vulnerability is fixed in 1.4.13.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

服务端请求伪造(SSRF)

mosparo 代码问题漏洞

mosparo是mosparo开源的一款现代垃圾邮件防护软件。 mosparo 1.4.13之前版本存在代码问题漏洞，该漏洞源于自动规则包源URL功能允许具有编辑器角色的项目成员存储攻击者控制的URL，服务器后续获取时因未限制私有或回环目标，导致存储型SSRF，可转为内部HTTP探测。

N/A

N/A