CVE-2026-41195
🔶 mediumSummary
mosparo is the modern solution to protect your online forms from spam. Prior to 1.4.13, the automatic rule package source URL feature allows a project member with the editor role to store an attacker-controlled URL that the server later fetches. Because the server follows http/https redirects and does not restrict private or loopback destinations, this becomes a stored SSRF primitive that can be turned into an internal HTTP probing oracle. This vulnerability is fixed in 1.4.13.
CVSS Score
5.0
Medium
EPSS Score
0.0
Exploit Probability
Published Date
2026-05-12
First Seen: 2026-05-19
📊 Relative Risk Intelligence
This CVE is Lower Risk - more severe than 19.3% of all 326,604 vulnerabilities in our database.
#263,468
Below average severity
Severity Percentile
🎯 CISA SSVC Assessment Updated: May 18, 2026
🔍 Exploitation Status
Poc
Proof-of-concept available
⚙️ Automatable
NO
Requires human interaction
💥 Technical Impact
Partial
Limited system impact
SSVC data provided by
CISA
Last Modified
2026-05-18
Source
NVD 🔗
CVSS Vector 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
CWE IDs (Weakness Types)