CVE-2026-24138
Published: 23 January 2026
Summary
CVE-2026-24138 is a high-severity SSRF (CWE-918) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 3.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing attempts server-side requests to internal resources, identifying SSRF weaknesses for remediation.
Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact.
Validates server-side URLs and resource references to block SSRF attempts.
Detects server-side request forgery through monitoring of unexpected outbound connections.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated SSRF in public-facing getversion.php directly enables remote exploitation of a web app (T1190) and server-side retrieval of local/internal files/resources (T1005).
NVD Description
FOG is a free open-source cloning/imaging/rescue suite/inventory management system. Versions 1.5.10.1754 and below contain an unauthenticated SSRF vulnerability in getversion.php which can be triggered by providing a user-controlled url parameter. It can be used to fetch both internal websites and…
more
files on the machine running FOG. This appears to be reachable without an authenticated web session when the request includes newService=1. The issue does not have a fixed release version at the time of publication.
Deeper analysisAI
CVE-2026-24138 is an unauthenticated Server-Side Request Forgery (SSRF) vulnerability (CWE-918) in the FOG Project, a free open-source cloning, imaging, rescue suite, and inventory management system. It affects versions 1.5.10.1754 and below, specifically in the getversion.php component. The flaw arises from a user-controlled 'url' parameter that allows arbitrary resource fetching when exploited.
Remote attackers can exploit this vulnerability over the network with low attack complexity, no privileges, no user interaction, and no scope change (CVSS 7.5: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). Unauthenticated access is possible by including the 'newService=1' parameter in requests, enabling attackers to force the FOG server to fetch internal websites and local files on the host machine, resulting in high confidentiality impact through exposure of sensitive internal resources.
The GitHub Security Advisory at https://github.com/FOGProject/fogproject/security/advisories/GHSA-79xw-c2qx-g7xj documents the issue, published on 2026-01-23. No fixed release version was available at the time of publication.
Details
- CWE(s)