Platform
other
Component
squidex
Fixed in
7.21.1
CVE-2026-24736 describes a critical Server-Side Request Forgery (SSRF) vulnerability affecting Squidex, an open-source headless content management system. This flaw allows attackers to trigger HTTP requests to arbitrary internal addresses, potentially exposing sensitive internal services. The vulnerability impacts versions of Squidex up to 7.21.0, and a fix is available in version 7.21.1.
The SSRF vulnerability in Squidex arises from insufficient validation of the URL parameter within webhook configurations. Attackers can craft malicious rules that trigger HTTP requests to internal resources, bypassing network segmentation and potentially accessing sensitive data. This could include accessing internal APIs, databases, or other services that are not directly exposed to the internet. Successful exploitation could lead to data breaches, privilege escalation, or even complete system compromise. The ability to target localhost (127.0.0.1) directly increases the attack surface significantly, as it allows attackers to interact with services running on the same server.
CVE-2026-24736 was publicly disclosed on 2026-01-27. The vulnerability's severity is rated as CRITICAL (CVSS 9.1). No public proof-of-concept (PoC) code has been released at the time of writing, but the ease of exploitation makes it a likely target for opportunistic attackers. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.08% (23% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-24736 is to upgrade Squidex to version 7.21.1 or later, which includes the necessary URL validation fixes. If upgrading immediately is not feasible, consider implementing temporary workarounds. Restrict network access to the Squidex server to only necessary ports and IP addresses. Implement a Web Application Firewall (WAF) with rules to block outbound requests to suspicious internal addresses. Carefully review all webhook configurations and disable any that are not absolutely essential. Monitor Squidex logs for unusual outbound HTTP requests.
Update Squidex to a version later than 7.21.0 when a patched version is available. As a temporary workaround, it is recommended to review and restrict access to Webhook configuration and monitor rule execution logs for suspicious activity.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-24736 is a critical SSRF vulnerability in Squidex headless CMS versions up to 7.21.0, allowing attackers to trigger HTTP requests to internal resources.
You are affected if you are running Squidex version 7.21.0 or earlier. Upgrade to 7.21.1 to resolve the vulnerability.
Upgrade Squidex to version 7.21.1 or later. As a temporary workaround, restrict network access and implement a WAF.
While no public exploits are currently known, the ease of exploitation makes it a likely target for attackers.
Refer to the official Squidex security advisory for detailed information and updates: [https://squidex.io/blog/cve-2026-24736/](https://squidex.io/blog/cve-2026-24736/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.