Skip to content

"Add module from URL" feature SSRF issue (CVE-2026-40500) #2277

Description

@teppokoivula

Hey Ryan,

There is a publicly reported SSRF issue in the "Add module from URL" feature in admin, see GHSA-gmwr-9j4p-96vm or https://nvd.nist.gov/vuln/detail/CVE-2026-40500. Though the scope is limited, this is an issue in part because it is being reported by third-party audits / audit tools.

As far as I can tell this has not been resolved in any existing version, dev included, but let me know if I am wrong.

Could you take a closer look at this? Thank you!

Also, sorry if this has been reported before, I couldn't find any references here. And for some reason the issue template is also no longer working.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions