CVE-2026-48013

MEDIUMPre-NVD 4.14.1
EchelonGraph scoreLOW confidence

This medium-severity CVE scores 4.1 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit probability: 0.1%, top 83% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m, epss
4.1
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • Lower severity and no public exploit yet
CISA-KEV: Not listedEPSS: 0%CVSS: 4.1Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

Shopware: SSRF in Media External-Link Endpoint Bypasses IP Validation

Summary

The /api/_action/media/external-link endpoint allows authenticated admin users to make server-side HTTP HEAD requests to arbitrary internal IP addresses. While the parallel uploadFromURL flow validates target IPs against private/reserved ranges via FileUrlValidator, the linkURL flow only performs a URL format check (regex for http:// or https:// prefix), allowing SSRF to internal network services and cloud metadata endpoints.

Details

The vulnerability is an inconsistency between two URL-handling flows in MediaUploadService.

Vulnerable path (external-link):

MediaUploadV2Controller::externalLink() at src/Core/Content/Media/Api/MediaUploadV2Controller.php:66 takes a user-supplied url parameter and passes it to MediaUploadService::linkURL() at src/Core/Content/Media/Upload/MediaUploadService.php:134.

linkURL() calls getContentSizeFromValidExternalUrl($url) at line 159, which only validates via validateExternalUrl():

// src/Core/Content/Media/Upload/MediaUploadService.php:207-212
public static function validateExternalUrl(string $url): void
{
    if (!preg_match('/^https?:\/\/.+/', $url)) {
        throw MediaException::invalidUrl($url);
    }
}

Then makes a server-side HEAD request with no IP filtering:

// src/Core/Content/Media/Upload/MediaUploadService.php:292-300
private function getContentSizeFromValidExternalUrl(string $url): int
{
    $this->validateExternalUrl($url);

$headers = $this->httpClient->request('HEAD', $url)->getHeaders(); if (!\array_key_exists('content-length', $headers)) { throw MediaException::fileNotFound($url); }

return (int) $headers['content-length'][0]; }

Protected path (upload_by_url):

In contrast, uploadFromURL uses FileFetcher::fetchFromURL() which calls FileUrlValidator::isValid():

// src/Core/Content/Media/File/FileFetcher.php:64
if ($this->enableUrlValidation && !$this->fileUrlValidator->isValid($url)) {
    throw MediaException::illegalUrl($url);
}

FileUrlValidator::isValid() resolves the hostname via gethostbyname() and validates the IP against private and reserved ranges using filter_var() with FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE. This protection is entirely absent from the linkURL flow.

Impact

An authenticated admin user can:

  • Probe cloud metadata services — HEAD requests to 169.254.169.254 reveal whether cloud metadata endpoints exist and leak content-length values
  • Scan internal networks — Differentiate open/closed/filtered ports on internal hosts (10.x, 172.16.x, 192.168.x) based on response timing and error types
  • Leak internal service information — The fileSize field stored in the database reflects the content-length header from internal services
  • Redirect-based escalation — Symfony HttpClient follows redirects by default (max_redirects=20), allowing an attacker-controlled external server to redirect the HEAD request to arbitrary internal destinations

Impact is limited to information disclosure via HEAD requests. The admin authentication requirement (PR:H) reduces exploitability, but in multi-tenant or compromised-credential scenarios this allows network reconnaissance from the server's perspective.

Recommended Fix

Apply FileUrlValidator to the linkURL flow, consistent with the uploadFromURL flow. In MediaUploadService:

// src/Core/Content/Media/Upload/MediaUploadService.php

// Add constructor dependency: private readonly FileUrlValidatorInterface $fileUrlValidator;

// In getContentSizeFromValidExternalUrl(), add IP validation: private function getContentSizeFromValidExternalUrl(string $url): int { $this->validateExternalUrl($url);

if (!$this->fileUrlValidator->isValid($url)) { throw MediaException::illegalUrl($url); }

$headers = $this->httpClient->request('HEAD', $url)->getHeaders(); if (!\array_key_exists('content-length', $headers)) { throw MediaException::fileNotFound($url); }

return (int) $headers['content-length'][0]; }

Additionally, consider setting max_redirects: 0 on the HttpClient request to prevent redirect-based SSRF bypasses.

CVSS v3
4.1
EG Score
4.1(low)
EPSS
16.6%
KEV
Not listed

Published

June 4, 2026

Last Modified

June 4, 2026

Vendor Advisories for CVE-2026-48013(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Affected Packages

(2 across 1 ecosystem)
Packagist(2)
PackageVulnerable rangeFixed inDependents
shopware/corev6.7.0.0 ... v6.7.9.1 (26 versions)6.7.10.1
shopware/platformv6.7.0.0 ... v6.7.9.1 (26 versions)6.7.10.1

Data Freshness Timeline

(refreshed 3× in last 7d / 24× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-11 11:48 UTCEG score recompute
  2. 2026-07-08 09:34 UTCEG score recompute
  3. 2026-07-06 02:20 UTCEG score recompute
  4. 2026-07-03 02:09 UTCEG score recompute
  5. 2026-07-01 23:13 UTCEG score recompute
  6. 2026-06-30 20:56 UTCEG score recompute
  7. 2026-06-29 19:24 UTCEG score recompute
  8. 2026-06-28 17:25 UTCEG score recompute
  9. 2026-06-27 16:10 UTCEG score recompute
  10. 2026-06-26 14:55 UTCEG score recompute
  11. 2026-06-25 10:26 UTCEG score recompute
  12. 2026-06-24 08:59 UTCEG score recompute
  13. 2026-06-23 01:54 UTCEG score recompute
  14. 2026-06-19 19:46 UTCEG score recompute
  15. 2026-06-18 14:58 UTCEG score recompute
  16. 2026-06-17 11:17 UTCEG score recompute
  17. 2026-06-16 10:02 UTCEG score recompute
  18. 2026-06-15 08:47 UTCEG score recompute
  19. 2026-06-14 23:18 UTCEPSS rescore
  20. 2026-06-14 07:28 UTCEG score recompute
  21. 2026-06-13 23:00 UTCEPSS rescore
  22. 2026-06-13 06:13 UTCEG score recompute
  23. 2026-06-12 23:12 UTCEPSS rescore
  24. 2026-06-12 04:53 UTCEG score recompute
  25. 2026-06-11 03:38 UTCEG score recompute
Show 6 more
  1. 2026-06-10 02:23 UTCEG score recompute
  2. 2026-06-09 01:09 UTCEG score recompute
  3. 2026-06-07 23:54 UTCEG score recompute
  4. 2026-06-06 22:40 UTCEG score recompute
  5. 2026-06-05 21:25 UTCEG score recompute
  6. 2026-06-04 20:10 UTCEG score recompute

Frequently asked(5)

What is CVE-2026-48013?
CVE-2026-48013 is a medium vulnerability published on June 4, 2026. Shopware: SSRF in Media External-Link Endpoint Bypasses IP Validation Summary The /api/_action/media/external-link endpoint allows authenticated admin users to make server-side HTTP HEAD requests to arbitrary internal IP addresses. While the parallel uploadFromURL flow validates target IPs against…
When was CVE-2026-48013 disclosed?
CVE-2026-48013 was first published in the National Vulnerability Database on June 4, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2026-48013 actively exploited?
CVE-2026-48013 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 16.6% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
What is the CVSS score of CVE-2026-48013?
CVE-2026-48013 has a CVSS v4.0 base score of 4.1 (CNA self-assessment; NVD's own analysis pending). The EG score is currently aggregating — additional source signals are being incorporated as they become available..
How do I remediate CVE-2026-48013?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-48013, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-48013

Explore →

Is Your Infrastructure Affected by CVE-2026-48013?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.