PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-41195 mosparo CVE debrief

CVE-2026-41195 describes a stored server-side request forgery (SSRF) issue in mosparo’s automatic rule package source URL feature. Before 1.4.13, a project member with the editor role could save an attacker-controlled URL, and the server would later fetch it. Because redirects were followed and private or loopback destinations were not restricted, the feature could be used as an internal HTTP probing oracle. The issue was fixed in mosparo 1.4.13.

Vendor
mosparo
Product
Unknown
CVSS
MEDIUM 5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-12
Original CVE updated
2026-05-18
Advisory published
2026-05-12
Advisory updated
2026-05-18

Who should care

mosparo administrators, security teams, and project owners who allow editor-role members to manage automatic rule package sources. Any deployment that can reach internal or loopback services from the mosparo server should treat this as relevant.

Technical summary

The vulnerability is a stored SSRF condition in the automatic rule package source URL workflow. The attacker needs editor-level project access, then stores a URL that the server later requests. The server follows HTTP/HTTPS redirects and does not block private or loopback targets, which can expose internal network reachability and HTTP response behavior. NVD lists the weakness as CWE-918 and the CVSS vector as AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N, consistent with a network-reachable SSRF that can leak limited information.

Defensive priority

Medium priority. Remediate promptly if editor-role users are not fully trusted or if the mosparo server can reach sensitive internal hosts. The confidentiality impact is limited but the issue can still aid internal probing and service discovery.

Recommended defensive actions

  • Upgrade mosparo to version 1.4.13 or later.
  • Review which users have the editor role in projects that can configure automatic rule package sources.
  • Restrict the mosparo server’s outbound network access where practical, especially to internal and loopback ranges.
  • Monitor for unusual outbound fetches originating from mosparo, including redirects to unexpected destinations.
  • If immediate patching is not possible, disable or tightly limit the automatic rule package source URL feature until upgraded.

Evidence notes

The supplied CVE description states the pre-1.4.13 issue, redirect-following behavior, lack of private/loopback restriction, and fix in 1.4.13. The NVD record lists CWE-918 and the CVSS vector AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N, and NVD currently marks the vulnerability status as Deferred. The GitHub Security Advisory link in the source references the same issue.

Official resources

Publicly disclosed through the GitHub Security Advisory referenced by NVD and recorded as CVE-2026-41195 on 2026-05-12, with the record updated on 2026-05-18.