cvedb.io
CVE-2025-59055
MEDIUM · CVSS 4.7
EPSS exploitation probability: 0%
Published 2025-09-11T19:15:34.660 · Last modified 2026-06-17T09:45:30.820

Summary

InstantCMS is a free and open source content management system. A blind Server-Side Request Forgery (SSRF) vulnerability in InstantCMS up to and including 2.17.3 allows authenticated remote attackers to make nay HTTP/HTTPS request via the package parameter. It is possible to make any HTTP/HTTPS request to any website in installer functionality. Due to such vulnerability it is possible to for example scan local network, call local services and its functions, conduct a DoS attack, and/or disclose a server's real IP if it's behind a reverse proxy. It is also possible to exhaust server resources by sending plethora of such requests. As of time of publication, no patched releases are available.

Affected products

instantcms — instantcms

Does this affect you?

Add your gear to cvedb and we'll alert you only when instantcms ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.