This CVE has been withdrawn by MITRE
MITRE marked CVE-2026-40500 as REJECTED on . There is no longer a valid blast radius to assess. Any historical package or vendor data shown below is preserved for audit reference only.
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. The "Add Module from URL" feature requires superuser privileges (root-equivalent in ProcessWire) who already has unrestricted arbitrary code execution via standard module upload, making the SSRF vector incapable of providing incremental attack surface. The feature is also disabled by default and requires direct filesystem access to enable.
CVE-2026-40500 Blast Radius
✕ WITHDRAWN — HISTORICAL DATAProcessWire CMS version 3.0.255 and prior contain a server-side request forgery vulnerability in the admin panel's 'Add Module From URL' feature that …