Scan free
HIGHCVE-2026-24138CVSS 7.5

CVE-2026-24138: SSRF in FOGProject ≤ 1.5.10.1754

Platform

php

Component

fogproject

Fixed in

1.5.11

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026
View on NVD
Save

CVE-2026-24138 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in FOGProject, a free open-source cloning/imaging/rescue suite. This vulnerability allows an unauthenticated attacker to potentially access internal resources and files on the server running FOG. The vulnerability affects versions of FOGProject up to 1.5.10.1754, and a fix is available in version 1.5.11.

Impact and Attack Scenarios

The SSRF vulnerability in FOGProject's getversion.php allows an attacker to craft a malicious URL parameter that triggers the server to make requests to arbitrary internal or external resources. Because the vulnerability is unauthenticated, an attacker does not need valid credentials to exploit it. This could lead to the exposure of sensitive internal data, such as configuration files, database credentials, or even access to other internal services. The newService=1 parameter appears to be a key component in triggering the vulnerability, bypassing authentication checks. Successful exploitation could allow an attacker to map the internal network and identify other potential targets for further attacks.

Exploitation Context

CVE-2026-24138 was publicly disclosed on 2026-01-23. There is no indication of active exploitation at this time, and no public proof-of-concept (POC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog. The relatively recent disclosure suggests a low to medium probability of exploitation, but continuous monitoring is recommended.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.01% (3% percentile)

CISA SSVC

Exploitationpoc
Automatableno
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N7.5HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityNoneRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
None — no integrity impact. Attacker cannot modify data.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentfogproject
VendorFOGProject
Affected rangeFixed in
<= 1.5.10.1754 – <= 1.5.10.17541.5.11

Weakness Classification (CWE)

CWE-918

Timeline

  1. Reserved
  2. Published
  3. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2026-24138 is to upgrade FOGProject to version 1.5.11 or later, which contains the fix. If upgrading immediately is not possible, consider implementing a Web Application Firewall (WAF) rule to block requests to getversion.php with suspicious URL parameters, specifically those containing user-controlled URLs. Additionally, restrict network access to the FOGProject server to only necessary IP addresses and ports. Monitor FOGProject logs for unusual outbound requests originating from getversion.php. After upgrading, confirm the fix by attempting to trigger the SSRF vulnerability with a known malicious URL and verifying that the request is blocked.

How to fix

Update FOG to a version later than 1.5.10.1754 when available. As there is no fixed version at the time of publication, monitor the FOG project for security updates and apply them as soon as possible. Consider implementing temporary mitigation measures, such as restricting access to `/fog/service/getversion.php` if possible, until a patched version is released.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-24138 — SSRF in FOGProject?

CVE-2026-24138 is a Server-Side Request Forgery (SSRF) vulnerability affecting FOGProject versions up to 1.5.10.1754, allowing unauthenticated access to internal resources.

Am I affected by CVE-2026-24138 in FOGProject?

You are affected if you are running FOGProject version 1.5.10.1754 or earlier. Upgrade to version 1.5.11 or later to mitigate the risk.

How do I fix CVE-2026-24138 in FOGProject?

Upgrade FOGProject to version 1.5.11 or later. As a temporary workaround, implement a WAF rule to block suspicious requests to getversion.php.

Is CVE-2026-24138 being actively exploited?

There is currently no evidence of active exploitation, but continuous monitoring is recommended.

Where can I find the official FOGProject advisory for CVE-2026-24138?

Refer to the FOGProject website and security advisories for the latest information: [https://fogproject.org/](https://fogproject.org/)

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs