Typecho SSRF Vulnerability (CVE-2026-7025) Publicly Exploitable
A critical server-side request forgery (SSRF) vulnerability, identified as CVE-2026-7025, has been discovered in Typecho versions up to 1.3.0. This flaw resides within the Service::sendPingHandle function in var/Widget/Service.php, specifically leveraging manipulation of the X-Pingback/link argument.
National Vulnerability Database reports that this vulnerability allows for remote exploitation, enabling attackers to force the server to make requests to arbitrary locations. The exploit code is now public, significantly increasing the immediate risk to unpatched instances. Typecho’s vendor has reportedly not responded to early disclosures, leaving users exposed.
An SSRF vulnerability like this is a serious problem. Attackers can leverage it to scan internal networks, access sensitive internal services, or even bypass firewalls. The public availability of exploit code means defenders need to move fast. This isn’t theoretical; it’s a direct path for reconnaissance and deeper access into an organization’s infrastructure.
What This Means For You
- If your organization uses Typecho, you need to immediately identify all instances running versions up to 1.3.0. This is a high-severity, remotely exploitable SSRF with public exploit code. Patching must be your top priority. If a patch isn't available, isolate these systems or restrict network access to mitigate the immediate threat of internal network probing and potential data exfiltration.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-7025 - Typecho Pingback SSRF
title: CVE-2026-7025 - Typecho Pingback SSRF
id: scw-2026-04-26-ai-1
status: experimental
level: critical
description: |
Detects exploitation attempts against Typecho CVE-2026-7025. This rule specifically looks for POST requests to '/var/Widget/Service.php' containing 'pingback' in the URI query, which is characteristic of the SSRF vulnerability in the Ping Back Service Endpoint.
author: SCW Feed Engine (AI-generated)
date: 2026-04-26
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-7025/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
uri|contains:
- '/var/Widget/Service.php'
cs-uri-query|contains:
- 'pingback'
cs-method|contains:
- 'POST'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-7025 | SSRF | Typecho up to 1.3.0 |
| CVE-2026-7025 | SSRF | var/Widget/Service.php::Service::sendPingHandle |
| CVE-2026-7025 | SSRF | Component: Ping Back Service Endpoint |
| CVE-2026-7025 | SSRF | Argument: X-Pingback/link |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 26, 2026 at 11:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-7039: tufantunc ssh-mcp Local Command Injection Exposed
CVE-2026-7039 — A security vulnerability has been detected in tufantunc ssh-mcp up to 1.5.0. The affected element is the function shell.write of the file src/index.ts....
CVE-2026-7037: Totolink A8000RU Critical OS Command Injection
CVE-2026-7037 — A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function setVpnPassCfg of the file /cgi-bin/cstecgi.cgi of the component...
Tenda i9 Path Traversal (CVE-2026-7036) Exposes Networks to Remote Exploitation
CVE-2026-7036 — A vulnerability was identified in Tenda i9 1.0.0.5(2204). This vulnerability affects the function R7WebsSecurityHandlerfunction of the component HTTP Handler. The manipulation leads to...