{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/typecho/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7025"}],"_cs_exploited":false,"_cs_products":["Typecho (\u003c= 1.3.0)"],"_cs_severities":["medium"],"_cs_tags":["ssrf","cve-2026-7025","typecho"],"_cs_type":"advisory","_cs_vendors":["Typecho"],"content_html":"\u003cp\u003eTypecho is vulnerable to a server-side request forgery (SSRF) vulnerability (CVE-2026-7025) affecting versions up to 1.3.0. The vulnerability resides in the \u003ccode\u003eService::sendPingHandle\u003c/code\u003e function within the \u003ccode\u003evar/Widget/Service.php\u003c/code\u003e file, specifically impacting the Ping Back Service Endpoint component. An attacker can remotely trigger this vulnerability by manipulating the \u003ccode\u003eX-Pingback/link\u003c/code\u003e argument. Publicly available exploits exist, increasing the risk of exploitation. The vendor was notified but did not respond. This vulnerability allows an attacker to potentially make arbitrary HTTP requests from the server, leading to information disclosure or further compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Typecho instance running a vulnerable version (\u0026lt;= 1.3.0).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the Pingback service endpoint.\u003c/li\u003e\n\u003cli\u003eThe malicious request includes a manipulated \u003ccode\u003eX-Pingback\u003c/code\u003e or \u003ccode\u003elink\u003c/code\u003e argument pointing to an attacker-controlled server or internal resource.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eService::sendPingHandle\u003c/code\u003e function processes the request and attempts to fetch the resource specified in the \u003ccode\u003eX-Pingback/link\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eDue to the SSRF vulnerability, the Typecho server makes an outbound HTTP request to the attacker-specified URL.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s server logs the incoming request from the Typecho server, confirming the SSRF vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker could potentially use this SSRF vulnerability to scan internal networks, read sensitive files, or interact with internal services.\u003c/li\u003e\n\u003cli\u003eSuccessful exploitation could lead to information disclosure, further exploitation of internal services, or denial-of-service attacks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7025 can allow an attacker to perform unauthorized actions on the internal network of the Typecho server. This includes port scanning, accessing internal services, and potentially reading sensitive data. The number of affected installations is unknown, but any Typecho instance running version 1.3.0 or earlier is vulnerable. The impact is limited to the permissions of the Typecho web server process, but can expose sensitive internal services that are not directly accessible from the internet.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply input validation and sanitization to the \u003ccode\u003eX-Pingback/link\u003c/code\u003e argument to prevent arbitrary URL inclusion, mitigating CVE-2026-7025.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests containing unusual URLs in the \u003ccode\u003eX-Pingback\u003c/code\u003e header, which can indicate SSRF attempts.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of potential SSRF attacks by restricting the web server\u0026rsquo;s access to internal resources.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious X-Pingback Header\u003c/code\u003e to identify potential SSRF attempts targeting the Pingback service.\u003c/li\u003e\n\u003cli\u003eAudit outbound network connections from the web server to detect unauthorized access to internal resources as a result of SSRF.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-26T08:17:46Z","date_published":"2026-04-26T08:17:46Z","id":"/briefs/2026-04-typecho-ssrf/","summary":"A server-side request forgery (SSRF) vulnerability exists in Typecho up to version 1.3.0, allowing remote attackers to manipulate the X-Pingback/link argument in the Service::sendPingHandle function to potentially make arbitrary HTTP requests.","title":"Typecho \u003c= 1.3.0 Server-Side Request Forgery Vulnerability (CVE-2026-7025)","url":"https://feed.craftedsignal.io/briefs/2026-04-typecho-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed — Typecho","version":"https://jsonfeed.org/version/1.1"}