CVE-2026-36759
SSRF in Halo CMS via Upgrade Endpoint
Publication date: 2026-04-30
Last updated on: 2026-04-30
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| halo | halo | 2.22.14 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CVE-2026-36759 vulnerability allows authenticated attackers to scan internal resources via SSRF, potentially exposing sensitive internal data.
Such exposure of sensitive internal resources could lead to unauthorized access or data leakage, which may impact compliance with standards and regulations like GDPR and HIPAA that require protection of sensitive data and internal systems.
However, the provided information does not explicitly mention the direct impact on compliance frameworks or specific regulatory requirements.
Can you explain this vulnerability to me?
CVE-2026-36759 is a Server-Side Request Forgery (SSRF) vulnerability in Halo version 2.22.14, specifically in the /themes/{name}/upgrade-from-uri endpoint.
This vulnerability allows authenticated attackers to send crafted HTTP GET requests to internal network resources by exploiting the way the application fetches plugin updates from user-supplied URIs without proper validation or sanitization.
The flaw exists because the application does not restrict URI schemes or validate host addresses, enabling attackers to scan internal resources by redirecting requests to internal IP addresses.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers with authenticated access to scan and potentially access internal network resources that are normally protected from external access.
Such unauthorized internal scanning can lead to exposure of sensitive information, identification of internal services, and potentially facilitate further attacks within the internal network.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusual HTTP GET requests to the `/themes/{name}/upgrade-from-uri` endpoint, especially those containing URIs that point to internal network addresses.
Since exploitation involves sending crafted GET requests to internal IPs via the vulnerable endpoint, you can look for such requests in your web server logs or use network monitoring tools to detect them.
A practical approach is to search your access logs for requests to the vulnerable endpoint with suspicious query parameters or payloads referencing internal IP addresses.
- Example command to search Apache or Nginx logs for suspicious requests (adjust log path accordingly):
- grep "/themes/.*/upgrade-from-uri" /var/log/nginx/access.log | grep -E "(10\.|192\.168\.|172\.(1[6-9]|2[0-9]|3[0-1])\.)"
- Use network monitoring tools like tcpdump or Wireshark to capture outgoing HTTP GET requests from the server to internal IP ranges.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable endpoint `/themes/{name}/upgrade-from-uri` to trusted users only, as exploitation requires authentication.
Implement input validation or filtering to block requests containing internal IP addresses or disallowed URI schemes.
A suggested fix is to implement a blacklist that blocks internal IP addresses from being used in the URI parameter to prevent SSRF attacks.
Additionally, monitor logs for suspicious activity and consider applying any available patches or updates from the vendor addressing this issue.