MEDIUM
processwire
CVE published 2026-04-15
CVE-2026-40500
CVE-2026-40500 is a server-side request forgery vulnerability in ProcessWire CMS versions 3.0.255 and prior. The vulnerability exists in the admin panel's 'Add Module From URL' feature, allowing authenticated administrators to supply arbitrary URLs to the module download parameter. This causes the server to issue outbound HTTP requests to attacker-controlled internal or external hosts. Attackers can explo [truncated]