CVE-2026-40500 — The Admin Panel'S 'Add Module From URL' Feature That Server-Side Request Forgery
Image via images.unsplash.com
CVE-2026-40500 — ProcessWire CMS version 3.0.255 and prior contain a server-side request forgery vulnerability in the admin panel's 'Add Module From URL' feature that allows authenticated administrators to supply arbitrary URLs to the module download parameter, causing the server to issue outbound H
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-40500 | vulnerability | CVE-2026-40500 |
| CWE-918 | weakness | CWE-918 |
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 16, 2026 at 01:17 UTC |
This content was curated and summarized by Shimi's Cyber World for informational purposes. It is not copied or republished in full. All intellectual property rights remain with the original author and source.
Believe this infringes your rights? Submit a takedown request.
Related Posts
Critical WordPress Plugin Flaw Grants Admin Privileges
CVE-2026-4880 — The Barcode Scanner (+Mobile App) – Inventory manager, Order fulfillment system, POS (Point of Sale) plugin for WordPress is vulnerable to privilege escalation...
Free5GC UDR Service Leaks 5G Subscriber Identifiers
CVE-2026-40245 — Free5GC is an open-source Linux Foundation project for 5th generation (5G) mobile core networks. Versions 4.2.1 and below contain an information disclosure vulnerability...
Maddy Mail Server Hit by Critical LDAP Injection Flaw
CVE-2026-40193 — maddy is a composable, all-in-one mail server. Versions prior to 0.9.3 contain an LDAP injection vulnerability in the auth.ldap module where user-supplied usernames...