Apache Fesod (Incubating) security advisories

Security information for Apache Fesod (Incubating)

Reporting

Do you want disclose a potential security issue for Apache Fesod (Incubating)? Send your report to the Apache Security Team.

Advisories

This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org

Improper validation of user-supplied URLs leading to SSRF

CVE-2026-49328 [CVE] [CVE json]

Last updated: 2026-06-01T10:10:32.924Z

Affected

  • Apache Fesod (Incubating) before 2.0.2-incubating

Description

Server-Side Request Forgery (SSRF) in the UrlImageConverter component of Apache Fesod (Incubating) fesod-sheet before 2.0.2-incubating allows attackers to cause outbound network requests to internal or otherwise restricted resources via a user-supplied image URL. Users are recommended to upgrade to version 2.0.2-incubating, which fixes this issue.

References

Credits

  • Xu Han (finder)