Apache Fesod (Incubating) security advisories
Security information for Apache Fesod (Incubating)
Reporting
Do you want disclose a potential security issue for Apache Fesod (Incubating)? Send your report to the Apache Security Team.
Advisories
This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org
Improper validation of user-supplied URLs leading to SSRF
CVE-2026-49328 [CVE] [CVE json]
Last updated: 2026-06-01T10:10:32.924Z
Affected
- Apache Fesod (Incubating) before 2.0.2-incubating
Description
Server-Side Request Forgery (SSRF) in the UrlImageConverter component of Apache Fesod (Incubating) fesod-sheet before 2.0.2-incubating allows attackers to cause outbound network requests to internal or otherwise restricted resources via a user-supplied image URL. Users are recommended to upgrade to version 2.0.2-incubating, which fixes this issue.
References
- https://github.com/apache/fesod/pull/917
- https://github.com/apache/fesod/releases/tag/2.0.2-incubating
- https://fesod.apache.org/docs/download
- https://lists.apache.org/thread/c1pb5b66h02p9tlrnfbwcgcz85v16fkj
Credits
- Xu Han (finder)