CVE-2026-7025
Server-Side Request Forgery in Typecho Ping Back Service
Publication date: 2026-04-26
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| typecho | typecho | to 1.3.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-7025 is a Server-Side Request Forgery (SSRF) vulnerability found in Typecho Blog Platform versions 1.3.0 and earlier. It affects the asynchronous ping service endpoint, specifically the function Service::sendPingHandle in the file var/Widget/Service.php.
The vulnerability arises due to weak token validation using PHP loose comparison, which allows attackers to bypass authentication by sending a token value that loosely equals true. Additionally, the pingback relay mechanism accepts user-supplied URLs and sends XML-RPC POST requests to the extracted Pingback URLs without any IP restriction checks.
This creates a two-stage SSRF chain that enables attackers to send arbitrary POST requests to internal IP addresses and ports, including localhost and private network addresses. The underlying HTTP client supports multiple protocols such as gopher://, dict://, and file://, which attackers can abuse to interact with various internal services like Redis, Memcached, and MySQL.
How can this vulnerability impact me? :
This vulnerability can have significant impacts including unauthorized internal network access and potential remote code execution.
- Attackers can bypass authentication and send arbitrary POST requests to internal services that may be unauthenticated.
- It allows attackers to access localhost, private IP ranges, and cloud metadata endpoints, potentially exposing sensitive internal data.
- Protocol smuggling via gopher:// and other protocols enables interaction with internal TCP services, which can lead to service fingerprinting, port scanning, and exploitation.
- Attackers may execute commands on internal services like Redis, potentially leading to remote code execution or data exfiltration.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring and analyzing requests to the `/action/service?do=ping` endpoint of the Typecho platform, specifically looking for unusual or unauthorized POST requests containing the "token": true in the JSON body, which bypasses token validation.
Network detection can focus on identifying SSRF attempts by checking for outgoing requests from the server to internal IP addresses (such as 127.0.0.1 or RFC1918 private ranges) or unusual protocols like gopher://, dict://, and file://.
Suggested commands to detect exploitation attempts include:
- Use web server access logs to filter requests to the vulnerable endpoint, for example: `grep '/action/service?do=ping' /var/log/nginx/access.log`
- Search for requests containing the token bypass: `grep -i '"token": true' /var/log/nginx/access.log`
- Monitor outgoing connections from the server to internal IPs or unusual protocols using tools like `netstat` or `ss`: `netstat -anp | grep ESTABLISHED` or `ss -tnp`
- Use packet capture tools such as tcpdump to detect suspicious outbound traffic: `tcpdump -i eth0 dst net 127.0.0.0/8 or dst net 10.0.0.0/8 or dst net 192.168.0.0/16`
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling the ping service if it is not in use to prevent exploitation.
Apply strict IP filtering in the vulnerable function to reject requests targeting private or reserved IP ranges and block dangerous protocols such as gopher://, dict://, and file://.
Fix the token validation mechanism by replacing the loose PHP comparison (==) with a strict comparison (===) and ensure the token is validated as a string to prevent bypass.
As a longer-term solution, upgrade to the latest patched version of Typecho when available, or consider removing the automatic Pingback relay feature entirely due to its inherent risks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Typecho up to version 1.3.0 allows unauthenticated attackers to perform server-side request forgery (SSRF), potentially enabling access to internal services, data exfiltration, and remote code execution. Such unauthorized access and data exposure risks can lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls over personal and sensitive data to prevent unauthorized access and breaches.
Specifically, the SSRF vulnerability could allow attackers to pivot within internal networks, access private IP ranges, and interact with internal services that may contain regulated data. This undermines confidentiality, integrity, and availability principles mandated by these standards, thereby negatively impacting compliance.
Mitigations such as disabling the vulnerable ping service, applying strict IP filtering, and fixing token validation are recommended to reduce the risk and help maintain compliance.