CVE-2026-7025

High

Published: 26 April 2026

Published

26 April 2026

Modified

29 April 2026

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0005 15.4th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-7025 is a high-severity SSRF (CWE-918) vulnerability in Github (inferred from references). Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates SSRF by validating the manipulated X-Pingback/link argument in the Ping Back Service Endpoint before processing requests.

CM-7 Least Functionality good match

prevent

Prevents exploitation by restricting the system to least functionality, such as disabling the unnecessary Ping Back Service Endpoint.

SC-7 Boundary Protection partial match

preventdetect

Provides defense-in-depth by monitoring and controlling outbound communications at boundaries to block SSRF attempts targeting internal resources.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

SSRF vulnerability in public-facing Typecho web application exploitable remotely without authentication directly enables T1190 for initial access via exploitation of public-facing apps.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A vulnerability was found in Typecho up to 1.3.0. This vulnerability affects the function Service::sendPingHandle of the file var/Widget/Service.php of the component Ping Back Service Endpoint. The manipulation of the argument X-Pingback/link results in server-side request forgery. The attack may…

be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

Deeper analysisAI

CVE-2026-7025 is a server-side request forgery (SSRF) vulnerability in Typecho versions up to 1.3.0. It affects the Service::sendPingHandle function within the file var/Widget/Service.php, part of the Ping Back Service Endpoint. The issue arises from manipulation of the X-Pingback/link argument, allowing remote attackers to forge requests from the server.

The vulnerability can be exploited remotely by unauthenticated attackers with network access, as indicated by its CVSS 3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). Successful exploitation enables limited impact on confidentiality, integrity, and availability through SSRF, potentially allowing attackers to interact with internal services or resources inaccessible from the internet.

Advisories from VulDB (including submit/797772, vuln/359605, and vuln/359605/cti) and a detailed report on wang1rrr.github.io detail the flaw but note no vendor response despite early contact. No patches or official mitigations are mentioned, leaving affected systems reliant on disabling the Ping Back Service Endpoint or input validation as potential workarounds.

An exploit for this vulnerability has been made public, increasing the risk of active exploitation in unpatched Typecho installations.