Cyber Posture

CVE-2026-41461

HighPublic PoC

Published: 23 April 2026

Published
23 April 2026
Modified
29 April 2026
KEV Added
Patch
CVSS Score 8.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
EPSS Score 0.0004 13.5th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-41461 is a high-severity SSRF (CWE-918) vulnerability in Socialengine Socialengine. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 3 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Requires validation of the user-supplied 'uri' parameter to prevent unsanitized inputs from being used to construct arbitrary outbound HTTP requests to internal or attacker-controlled destinations.

AC-4 Information Flow Enforcement good match
prevent

Enforces approved information flow policies to restrict the application's outbound HTTP requests to only authorized external destinations, blocking access to internal networks or loopback addresses.

SC-7 Boundary Protection partial match
prevent

Provides boundary protection via firewalls or proxies to monitor and block unauthorized outbound connections from the vulnerable /core/link/preview endpoint to internal services.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1018 Remote System Discovery Discovery
Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system.
attack.mitre.org →
T1046 Network Service Discovery Discovery
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.
attack.mitre.org →
T1522 Cloud Instance Metadata API Credential Access
Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
attack.mitre.org →
Why these techniques?

SSRF in public-facing app enables T1190; allows blind internal enumeration via arbitrary URI requests, mapping to T1018/T1046; potential access to metadata endpoints maps to T1522.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

SocialEngine versions 7.8.0 and prior contain a blind server-side request forgery vulnerability in the /core/link/preview endpoint where user-supplied input passed via the uri request parameter is not sanitized before being used to construct outbound HTTP requests. Authenticated remote attackers can…

more

supply arbitrary URLs including internal network addresses and loopback addresses to cause the server to issue HTTP requests to attacker-controlled destinations, enabling internal network enumeration and access to services not intended to be externally reachable.

Deeper analysisAI

CVE-2026-41461 is a blind server-side request forgery (SSRF) vulnerability affecting SocialEngine versions 7.8.0 and prior. The issue resides in the /core/link/preview endpoint, where the user-supplied uri request parameter is not sanitized before being incorporated into outbound HTTP requests. This flaw, classified under CWE-918, carries a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N), highlighting its high severity due to network accessibility, low complexity, and significant confidentiality impact with changed scope.

Authenticated remote attackers with low privileges can exploit this vulnerability by submitting arbitrary URLs, including those targeting internal network addresses or loopback interfaces (e.g., 127.0.0.1). This forces the SocialEngine server to issue HTTP requests to attacker-controlled or internal destinations, facilitating blind internal network enumeration and potential access to services not meant to be exposed externally, such as metadata endpoints or other intranet resources.

Advisories detailing mitigation strategies are available from multiple sources, including Karma Infosec (KIS-2026-07 at https://karmainsecurity.com/KIS-2026-07), VulnCheck (https://www.vulncheck.com/advisories/socialengine-blind-ssrf-via-core-link-preview), SocialEngine's official site (https://socialengine.com), and Full Disclosure mailing list (http://seclists.org/fulldisclosure/2026/Apr/11). Security practitioners should consult these for patch availability, input validation recommendations, or network controls to restrict outbound requests from the affected endpoint.

Details

CWE(s)
CWE-918

Affected Products

socialengine
socialengine
≤ 7.8.0

CVEs Like This One

CVE-2026-41460Same product: Socialengine Socialengine
CVE-2026-35037Shared CWE-918
CVE-2026-33024Shared CWE-918
CVE-2026-35187Shared CWE-918
CVE-2026-5936Shared CWE-918
CVE-2026-34954Shared CWE-918
CVE-2026-27696Shared CWE-918
CVE-2026-4200Shared CWE-918
CVE-2026-33321Shared CWE-918
CVE-2026-40114Shared CWE-918

References