CVE-2026-49328 PUBLISHED

Apache Fesod (Incubating): Improper validation of user-supplied URLs leading to SSRF

Assigner: apache
Reserved: 29.05.2026 Published: 01.06.2026 Updated: 01.06.2026

Server-Side Request Forgery (SSRF) in the UrlImageConverter component of Apache Fesod (Incubating) fesod-sheet before 2.0.2-incubating allows attackers to cause outbound network requests to internal or otherwise restricted resources via a user-supplied image URL. Users are recommended to upgrade to version 2.0.2-incubating, which fixes this issue.

Product Status

Vendor	Apache Software Foundation
Product	Apache Fesod (Incubating)
Versions	Default: unaffected affected from 0 to 2.0.2-incubating (excl.)

Credits

Xu Han finder

References

https://github.com/apache/fesod/pull/917
https://github.com/apache/fesod/releases/tag/2.0.2-incubating
https://fesod.apache.org/docs/download
https://lists.apache.org/thread/c1pb5b66h02p9tlrnfbwcgcz85v16fkj

Problem Types

CWE-918 Server-Side Request Forgery (SSRF) CWE