Platform
php
Component
processwire
Fixed in
3.0.256
3.0.256
CVE-2026-40500 describes a server-side request forgery (SSRF) vulnerability discovered in the ProcessWire Content Management System (CMS). This flaw resides within the admin panel's 'Add Module From URL' feature, allowing authenticated administrators to manipulate module download URLs. Successful exploitation can lead to the server making outbound HTTP requests to attacker-controlled hosts, potentially exposing internal resources and sensitive data. The vulnerability affects ProcessWire CMS versions from 0.0.0 up to and including 3.0.255; a patch is available in version 3.0.256.
CVE-2026-40500 in ProcessWire CMS (versions 3.0.255 and prior) represents a server-side request forgery (SSRF) vulnerability. This flaw resides within the 'Add Module From URL' feature of the admin panel. An authenticated administrator can manipulate the module download URL to point to attacker-controlled servers, both internal and external. This allows the attacker to cause the server to make outbound HTTP requests to these malicious destinations. Successful exploitation could lead to the discovery of sensitive information, access to restricted internal resources, and potentially code execution if combined with other vulnerabilities.
An attacker with authenticated access to the ProcessWire admin panel can exploit this vulnerability. The attacker can provide a malicious URL in the 'Module URL' field during the module addition process. The server's response, even if an error, can reveal information about the internal network structure, allowing the attacker to perform internal port scanning and host enumeration. The ability to differentiate error messages facilitates the identification of open ports, making the scanning process more reliable. This can lead to the exposure of internal services that are normally not accessible from the outside.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The solution to mitigate this risk is to update to ProcessWire CMS version 3.0.256 or later. This version includes a fix that validates and sanitizes the user-provided URL, preventing SSRF. Additionally, review and strengthen admin panel access policies, ensuring only authorized users have administrator privileges. Monitoring server activity for unusual HTTP requests can also help detect and respond to potential exploitation attempts. Implementing a web application firewall (WAF) can provide an additional layer of protection.
Update to ProcessWire CMS version 3.0.256 or higher to mitigate the SSRF vulnerability. This update corrects the issue by properly validating the URLs provided in the 'Add Module From URL' feature of the admin panel.
Vulnerability analysis and critical alerts directly to your inbox.
SSRF (Server-Side Request Forgery) is a type of vulnerability that allows an attacker to make the server perform requests to resources the attacker controls. This can be used to access internal resources, scan the internal network, or even execute code.
If you are using ProcessWire CMS version 3.0.255 or earlier, your website is vulnerable. The safest way to verify is to update to the latest version (3.0.256 or later).
If you can't update immediately, implement mitigation measures such as restricting access to the admin panel and monitoring server activity.
There are vulnerability scanning tools that can detect SSRF, but updating to the latest ProcessWire version is the most effective solution.
An attacker could obtain information about the internal network structure, open ports, internal hosts, and potentially access restricted internal resources.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.