Detections
Analytics

CVE-2025-59055

medium

Description

InstantCMS is a free and open source content management system. A blind Server-Side Request Forgery (SSRF) vulnerability in InstantCMS up to and including 2.17.3 allows authenticated remote attackers to make nay HTTP/HTTPS request via the package parameter. It is possible to make any HTTP/HTTPS request to any website in installer functionality. Due to such vulnerability it is possible to for example scan local network, call local services and its functions, conduct a DoS attack, and/or disclose a server's real IP if it's behind a reverse proxy. It is also possible to exhaust server resources by sending plethora of such requests. As of time of publication, no patched releases are available.

References

https://github.com/instantsoft/icms2/security/advisories/GHSA-79hh-mhvg-whrw

https://github.com/instantsoft/icms2/commit/fa997bdab3429fad0c850966bfacbcb96d5ab041

Details

Source: Mitre, NVD

Published: 2025-09-11

Updated: 2025-09-11

Risk Information

CVSS v2

Base Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:M/C:P/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 4.7

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

Severity: Medium

EPSS

EPSS: 0.00076