oss-security - CVE-2026-49328: Apache Fesod (Incubating): Improper validation of user-supplied URLs leading to SSRF

Follow @Openwall on Twitter for new release announcements and other news

Message-ID: <71a042cd-6f30-e38d-9d1a-5fccc68a3b14@apache.org>
Date: Mon, 01 Jun 2026 09:59:11 +0000
From: Shuxin Pan <psxjoy@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2026-49328: Apache Fesod (Incubating): Improper validation of
 user-supplied URLs leading to SSRF 

Severity: important 

Affected versions:

- Apache Fesod (Incubating) (org.apache.fesod:fesod-sheet) before 2.0.2-incubating

Description:

Server-Side Request Forgery (SSRF) in the UrlImageConverter component of Apache Fesod (Incubating) fesod-sheet before 2.0.2-incubating allows attackers to cause outbound network requests to internal or otherwise restricted resources via a user-supplied image URL. Users are recommended to upgrade to version 2.0.2-incubating, which fixes this issue.

This issue is being tracked as apache/fesod#917 

Credit:

Xu Han (finder)

References:

https://github.com/apache/fesod/pull/917
https://github.com/apache/fesod/releases/tag/2.0.2-incubating
https://fesod.apache.org/docs/download
https://fesod.apache.org
https://www.cve.org/CVERecord?id=CVE-2026-49328
https://issues.apache.org/jira/browse/apache/fesod#917

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.