PatchSiren

processwire CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM processwire CVE published 2026-04-15

CVE-2026-40500

CVE-2026-40500 is a server-side request forgery vulnerability in ProcessWire CMS versions 3.0.255 and prior. The vulnerability exists in the admin panel's 'Add Module From URL' feature, allowing authenticated administrators to supply arbitrary URLs to the module download parameter. This causes the server to issue outbound HTTP requests to attacker-controlled internal or external hosts. Attackers can explo [truncated]