Vulnerabilities ›

CVE-2026-40500

Medium

CWE-918 — Weakness Type

                    Published: Apr 15, 2026                      ·  Modified: Apr 18, 2026                      ·  Source: NVD                

CVSS v3

6.8

🔗 NVD Official

📄 Description (English)

ProcessWire CMS version 3.0.255 and prior contain a server-side request forgery vulnerability in the admin panel's 'Add Module From URL' feature that allows authenticated administrators to supply arbitrary URLs to the module download parameter, causing the server to issue outbound HTTP requests to attacker-controlled internal or external hosts. Attackers can exploit differentiable error messages returned by the server to perform reliable internal network port scanning, host enumeration across RFC-1918 ranges, and potential access to cloud instance metadata endpoints.

🤖 AI Executive Summary

ProcessWire CMS 3.0.255 and earlier contain a server-side request forgery (SSRF) vulnerability in the admin module download feature that allows authenticated administrators to scan internal networks and access metadata endpoints. While requiring admin authentication, the vulnerability enables reconnaissance of internal infrastructure, cloud metadata access, and potential lateral movement. No patch is currently available, making immediate compensating controls essential for Saudi organizations running ProcessWire.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 10, 2026 14:37

🇸🇦 Saudi Arabia Impact Assessment

Saudi organizations using ProcessWire CMS for content management—particularly government agencies, educational institutions, and small-to-medium enterprises—face significant risk. The vulnerability is particularly concerning for organizations hosting ProcessWire on cloud infrastructure (AWS, Azure, Google Cloud) where metadata endpoints could expose sensitive credentials. Government entities under NCA oversight and organizations handling sensitive data are at elevated risk. The SSRF capability enables attackers to enumerate internal network topology, discover internal services, and potentially access cloud instance metadata containing API keys and credentials.

🏢 Affected Saudi Sectors

Government and Public Administration Education and Universities Healthcare and Medical Institutions Small and Medium Enterprises (SMEs) Non-Profit Organizations Media and Publishing E-Commerce and Retail

🎯 MITRE ATT&CK Techniques

T1190 - Exploit Public-Facing Application (admin panel exploitation) T1526 - Gather Victim Network Information (internal network enumeration) T1046 - Network Service Discovery (port scanning via SSRF) T1592 - Gather Victim Host Information (cloud metadata access) T1040 - Network Sniffing (internal traffic analysis) T1021 - Remote Services (lateral movement via discovered services)

⚖️ Saudi Risk Score (AI)

6.2

/ 10.0

🔧 Remediation Steps (English)

Immediate Actions:

1. Audit all ProcessWire CMS installations in your environment and document versions

2. Restrict admin panel access to trusted IP ranges using firewall rules or WAF policies

3. Implement network segmentation to isolate ProcessWire servers from sensitive internal systems

4. Disable the 'Add Module From URL' feature if not actively used—modify admin permissions to prevent module installation

5. Monitor outbound HTTP/HTTPS connections from ProcessWire servers for suspicious destinations



Compensating Controls:

6. Implement egress filtering to block outbound connections to RFC-1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and 169.254.0.0/16 (metadata endpoints)

7. Deploy Web Application Firewall (WAF) rules to detect and block requests to internal IP ranges in module URLs

8. Enable detailed logging of all admin panel activities, particularly module installation attempts

9. Implement network-level monitoring for connections to cloud metadata endpoints (169.254.169.254, metadata.google.internal, etc.)

10. Review and restrict admin user accounts—remove unnecessary administrative privileges



Detection Rules:

- Alert on HTTP requests from ProcessWire to private IP ranges or 169.254.x.x

- Monitor for repeated failed connection attempts to different internal hosts

- Track admin panel access logs for 'Add Module From URL' feature usage

- Flag any module installation attempts with suspicious or internal URLs

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. قم بتدقيق جميع تثبيتات ProcessWire CMS في بيئتك وتوثيق الإصدارات

2. قيد الوصول إلى لوحة التحكم على نطاقات IP موثوقة باستخدام قواعد جدار الحماية أو سياسات WAF

3. تنفيذ تقسيم الشبكة لعزل خوادم ProcessWire عن الأنظمة الداخلية الحساسة

4. تعطيل ميزة 'إضافة وحدة من URL' إذا لم تكن قيد الاستخدام النشط—تعديل أذونات المسؤول لمنع تثبيت الوحدات

5. مراقبة الاتصالات الصادرة HTTP/HTTPS من خوادم ProcessWire للوجهات المريبة



الضوابط التعويضية:

6. تنفيذ تصفية الخروج لحظر الاتصالات الصادرة إلى نطاقات RFC-1918 (10.0.0.0/8، 172.16.0.0/12، 192.168.0.0/16) و169.254.0.0/16 (نقاط نهاية البيانات الوصفية)

7. نشر قواعد جدار تطبيقات الويب (WAF) للكشف عن حظر الطلبات إلى نطاقات IP الداخلية في عناوين URL للوحدات

8. تفعيل السجلات التفصيلية لجميع أنشطة لوحة التحكم، خاصة محاولات تثبيت الوحدات

9. تنفيذ المراقبة على مستوى الشبكة للاتصالات بنقاط نهاية البيانات الوصفية للسحابة (169.254.169.254، metadata.google.internal، وما إلى ذلك)

10. مراجعة وتقييد حسابات المستخدمين الإداريين—إزالة الامتيازات الإدارية غير الضرورية



قواعد الكشف:

- تنبيه على طلبات HTTP من ProcessWire إلى نطاقات IP خاصة أو 169.254.x.x

- مراقبة محاولات الاتصال الفاشلة المتكررة بأجهزة مضيفة داخلية مختلفة

- تتبع سجلات الوصول إلى لوحة التحكم لاستخدام ميزة 'إضافة وحدة من URL'

- وضع علامة على أي محاولات تثبيت وحدة بعناوين URL مريبة أو داخلية

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

A.5.1.1 - Information Security Policies (access control to admin functions) A.6.1.1 - Internal Organization (segregation of duties for admin access) A.8.1.1 - Asset Management (inventory and control of CMS systems) A.13.1.1 - Network Security (network segmentation and monitoring) A.13.1.3 - Segregation of Networks (isolation of sensitive systems)

🔵 SAMA CSF

ID.AM-2: Software Inventory (identify all ProcessWire instances) PR.AC-1: Access Control Policy (restrict admin panel access) PR.AC-4: Access Management (limit admin privileges) PR.DS-1: Data Security (protect internal network information) DE.CM-1: Network Monitoring (detect SSRF exploitation attempts)

🟡 ISO 27001:2022

A.5.1.1 - Policies for information security (access control requirements) A.6.1.2 - Information security roles and responsibilities (admin oversight) A.8.1.1 - Inventory of assets (CMS asset management) A.13.1.1 - Network security perimeter (network segmentation) A.13.1.3 - Segregation of networks (isolation controls)

🟣 PCI DSS v4.0.1

Requirement 1.3 - Network Segmentation (isolate CMS from payment systems) Requirement 6.2 - Security patches and updates (monitor for patches) Requirement 7.1 - Limit access to system components (admin access control)

🔗 References & Sources 3

🔗

https://gist.github.com/thepiyushkumarshukla/7514e5eed526fd9d20fcfc42ce8d0a82

disclosure@vulncheck.com

🔗

https://processwire.com/

disclosure@vulncheck.com

🔗

https://www.vulncheck.com/advisories/processwire-cms-ssrf-via-add-module-from-url

disclosure@vulncheck.com

📊 CVSS Score

6.8

/ 10.0 — Medium

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredH — High

User InteractionN — None / Network

ScopeC — Changed

ConfidentialityH — High

IntegrityN — None / Network

AvailabilityN — None / Network

📋 Quick Facts

Severity Medium

CVSS Score6.8

CWECWE-918

EPSS0.03%

Exploit No

Patch ✗ No

Published 2026-04-15

Source Feed nvd

🇸🇦 Saudi Risk Score

6.2

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

CWE-918

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-40500

💬 Comments

Introduce Yourself

Sign In Required