Plataforma
nodejs
Componente
hm_editor
Corregido en
2.2.1
2.2.2
2.2.3
2.2.4
CVE-2026-5346 is a server-side request forgery (SSRF) vulnerability affecting huimeicloud hmeditor versions 2.2.0 through 2.2.3. This flaw allows attackers to manipulate the 'url' parameter within the image-to-base64 endpoint, potentially leading to unauthorized access to internal resources. The vulnerability is remotely exploitable and has been publicly disclosed, posing a significant risk to deployments using affected versions. Mitigation involves upgrading to a patched version of hmeditor.
Successful exploitation of CVE-2026-5346 allows an attacker to initiate arbitrary HTTP requests from the hm_editor server. This can lead to a variety of malicious actions, including accessing sensitive internal services, reading configuration files, and potentially even interacting with other systems within the network. The SSRF vulnerability bypasses normal network security controls, allowing an attacker to reach resources that would otherwise be inaccessible. The ability to make requests on behalf of the server significantly expands the attack surface, potentially enabling data exfiltration or further exploitation of vulnerable internal systems. Given the public disclosure, the risk of exploitation is elevated.
CVE-2026-5346 has been publicly disclosed, increasing the likelihood of exploitation. The vulnerability is present in a Node.js application, a common target for attackers. No EPSS score is available. Public proof-of-concept code may be available or developed shortly, further accelerating exploitation. The vulnerability was disclosed on 2026-04-02, and the vendor has not responded, indicating a potential lack of timely patching.
Organizations deploying huimeicloud hmeditor versions 2.2.0 through 2.2.3 are at risk, particularly those with sensitive internal services accessible from the server. Environments with weak network segmentation or inadequate input validation are especially vulnerable. Shared hosting environments where hmeditor is deployed alongside other applications are also at increased risk.
• nodejs / server:
grep -r 'client.get' /path/to/hm_editor/src/• generic web:
curl -I 'http://your-hm-editor-server/image-to-base64?url=http://internal-service/' | grep 'Server:'• generic web:
curl -I 'http://your-hm-editor-server/image-to-base64?url=file:///etc/passwd' | grep 'Server:'disclosure
Estado del Exploit
EPSS
0.05% (16% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2026-5346 is to upgrade huimeicloud hmeditor to a version that addresses the SSRF vulnerability. Unfortunately, a fixed version is not specified in the provided data. As a temporary workaround, implement strict input validation on the 'url' parameter within the image-to-base64 endpoint to prevent malicious URLs from being processed. Consider using a web application firewall (WAF) to filter out suspicious requests. Review and restrict network access for the hmeditor server to minimize the potential impact of a successful SSRF attack. After applying mitigations, verify functionality by attempting to access the image-to-base64 endpoint with a benign URL and confirming that the server behaves as expected.
Actualice a una versión parcheada de hm_editor que solucione la vulnerabilidad de Server-Side Request Forgery (SSRF). Si no hay una versión disponible, considere deshabilitar o eliminar el componente Endpoint de imagen a base64 hasta que se publique una solución.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2026-5346 is a server-side request forgery vulnerability in huimeicloud hm_editor versions 2.2.0–2.2.3, allowing attackers to make requests on behalf of the server.
You are affected if you are using huimeicloud hm_editor versions 2.2.0 through 2.2.3 and have not upgraded to a patched version.
Upgrade to a patched version of huimeicloud hm_editor. As a temporary workaround, implement strict input validation on the 'url' parameter.
The vulnerability has been publicly disclosed, increasing the likelihood of exploitation. Active exploitation is possible.
The vendor has not responded to the disclosure, so an official advisory may not be available. Monitor huimeicloud's website and security channels for updates.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.