CVE-2026-25870
📋 TL;DR
DoraCMS versions 3.1 and earlier contain a server-side request forgery (SSRF) vulnerability in the UEditor remote image fetch feature. This allows attackers to make the server send requests to arbitrary internal or external systems, potentially exposing internal network resources. All deployments using vulnerable versions are affected.
💻 Affected Systems
- DoraCMS
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete internal network mapping, access to internal services, denial of service through resource exhaustion, and potential data exfiltration.
Likely Case
Internal network scanning, limited data exposure from internal services, and potential service disruption.
If Mitigated
Limited to external resource scanning with proper network segmentation and request controls.
🎯 Exploit Status
Simple HTTP request manipulation required, no authentication needed for vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://github.com/doramart/DoraCMS/issues/268
Restart Required: No
Instructions:
1. Monitor GitHub repository for patches. 2. Apply patch when available. 3. Test functionality after patching.
🔧 Temporary Workarounds
Disable UEditor remote image fetch
allDisable the vulnerable functionality completely
Edit DoraCMS configuration to disable remote image fetching in UEditor
Implement URL validation middleware
allAdd server-side validation to restrict allowed URLs
Implement allowlist validation for URLs before processing
🧯 If You Can't Patch
- Implement network segmentation to restrict server outbound connections
- Deploy web application firewall with SSRF protection rules
🔍 How to Verify
Check if Vulnerable:
Test if UEditor remote image fetch accepts URLs pointing to internal IP addresses or restricted resources.Check Version:
Check DoraCMS version in admin panel or configuration files.Verify Fix Applied:
Verify that URL validation rejects internal IPs and implements allowlist restrictions.📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP requests from server
- Requests to internal IP ranges from web application
Network Indicators:
- Server making unexpected HTTP requests to internal network segments
SIEM Query:
source_ip=webserver AND dest_ip=internal_range AND protocol=HTTP