Platform
other
Component
cve-discovery
Fixed in
4.0.1
CVE-2026-4907 describes a server-side request forgery (SSRF) vulnerability affecting Page Replica versions up to e4a7f52e75093ee318b4d5a9a9db6751050d2ad0. This flaw allows attackers to manipulate the 'url' parameter within the /sitemap endpoint, potentially leading to unauthorized access to internal resources. Due to the product's rolling release model, specific affected versions are not available, but the vulnerability is actively exploitable.
The SSRF vulnerability in Page Replica allows an attacker to craft malicious requests through the /sitemap endpoint. By manipulating the 'url' parameter, an attacker can trick the server into making requests to arbitrary internal or external resources. This could expose sensitive internal data, allow access to administrative interfaces, or even be leveraged for further attacks, such as port scanning or accessing cloud metadata. The availability of a public exploit significantly increases the risk of exploitation, making it a high-priority concern. The potential impact extends beyond the immediate system, as successful exploitation could lead to data breaches and compromise of related services.
CVE-2026-4907 has been publicly disclosed and a proof-of-concept exploit is available, indicating a high probability of exploitation. The vulnerability was reported on 2026-03-27. The vendor was notified early about the disclosure. The EPSS score is likely to be medium or high given the public exploit and potential for significant impact.
Exploit Status
EPSS
0.04% (11% percentile)
CISA SSVC
CVSS Vector
Due to Page Replica's rolling release strategy, a direct patch is not immediately available. Mitigation efforts should focus on immediate hardening measures. Implement strict input validation on the 'url' parameter within the /sitemap endpoint to prevent malicious URL manipulation. Network segmentation can limit the impact of a successful SSRF attack by restricting access to sensitive internal resources. Consider deploying a Web Application Firewall (WAF) with SSRF protection rules to filter out malicious requests. Regularly review and update firewall rules to adapt to evolving attack techniques. Verify that the Page Replica instance is not exposed directly to the internet and that access is restricted to authorized clients.
Update to a version later than e4a7f52e75093ee318b4d5a9a9db6751050d2ad0. Since the vendor has not responded, it is recommended to contact them directly to obtain a patched version or implement additional security measures to mitigate the risk of SSRF.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-4907 is a server-side request forgery vulnerability in Page Replica versions up to e4a7f52e75093ee318b4d5a9a9db6751050d2ad0, allowing attackers to manipulate requests through the /sitemap endpoint.
If you are using Page Replica versions prior to e4a7f52e75093ee318b4d5a9a9db6751050d2ad0, you are potentially affected by this SSRF vulnerability.
Due to the rolling release strategy, a direct patch is unavailable. Implement input validation on the /sitemap endpoint, network segmentation, and consider a WAF with SSRF protection.
Yes, a public exploit is available, indicating a high probability of active exploitation.
Refer to the vendor's official communication channels for the latest advisory regarding CVE-2026-4907.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.