Skip to content
CVSS 7.3 · HIGH

CVE-2026-7025

A vulnerability was found in Typecho up to 1.3.0. This vulnerability affects the function Service::sendPingHandle of the file var/Widget/Service.php of the component Ping Back Service Endpoint. The manipulation of the argument X-Pingback/link results in server-side request forgery. The attack may be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

Ver en NVD

Análisis

Typecho is a lightweight PHP CMS with relatively low adoption in the MexicoDev ecosystem compared to WordPress or Laravel. While this is a high-severity SSRF with a public exploit, the impact is confined to a niche product that most community members do not use in production.

Severidad

Puntaje: 7.3(HIGH)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: UNCHANGED
C: LOW
I: LOW
A: LOW
Tipo de falla (CWE): CWE-918

EPSS

Probabilidad de explotación (próx. 30 días): 0.0005 (0.1%)
Percentil: 15.2%
EPSS: 2026-05-06

Descripción técnica

A vulnerability was found in Typecho up to 1.3.0. This vulnerability affects the function Service::sendPingHandle of the file var/Widget/Service.php of the component Ping Back Service Endpoint. The manipulation of the argument X-Pingback/link results in server-side request forgery. The attack may be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

Publicada: 26/4/2026, 8:16:00
Última modificación: 29/4/2026, 1:00:01

Referencias

InicioEventosBlogRecursosEquipo