Hey Ryan,
There is a publicly reported SSRF issue in the "Add module from URL" feature in admin, see GHSA-gmwr-9j4p-96vm or https://nvd.nist.gov/vuln/detail/CVE-2026-40500. Though the scope is limited, this is an issue in part because it is being reported by third-party audits / audit tools.
As far as I can tell this has not been resolved in any existing version, dev included, but let me know if I am wrong.
Could you take a closer look at this? Thank you!
Also, sorry if this has been reported before, I couldn't find any references here. And for some reason the issue template is also no longer working.
Hey Ryan,
There is a publicly reported SSRF issue in the "Add module from URL" feature in admin, see GHSA-gmwr-9j4p-96vm or https://nvd.nist.gov/vuln/detail/CVE-2026-40500. Though the scope is limited, this is an issue in part because it is being reported by third-party audits / audit tools.
As far as I can tell this has not been resolved in any existing version, dev included, but let me know if I am wrong.
Could you take a closer look at this? Thank you!
Also, sorry if this has been reported before, I couldn't find any references here. And for some reason the issue template is also no longer working.