{"id":"CVE-2026-33486","summary":"Roadiz has Server-Side Request Forgery (SSRF) in roadiz/documents","details":"Roadiz is a polymorphic content management system based on a node system that can handle many types of services. A vulnerability in roadiz/documents prior to versions 2.7.9, 2.6.28, 2.5.44, and 2.3.42 allows an authenticated attacker to read any file on the server's local file system that the web server process has access to, including highly sensitive environment variables, database credentials, and internal configuration files. Versions 2.7.9, 2.6.28, 2.5.44, and 2.3.42 contain a patch.","aliases":["GHSA-rc55-58f4-687g"],"modified":"2026-04-10T05:43:18.702744Z","published":"2026-03-26T17:15:31.073Z","database_specific":{"cwe_ids":["CWE-918"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33486.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33486.json"},{"type":"FIX","url":"https://github.com/roadiz/core-bundle-dev-app/commit/7904f690a51b88b1c72c02149ebdf85fa81f19f2"},{"type":"ADVISORY","url":"https://github.com/roadiz/core-bundle-dev-app/security/advisories/GHSA-rc55-58f4-687g"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33486"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/roadiz/core-bundle-dev-app","events":[{"introduced":"6e406d459f47e060d2954231b9b645d1698d2074"},{"fixed":"a475ab03d6381926b164d372c752d3a0aadedb11"}],"database_specific":{"versions":[{"introduced":"2.7.0"},{"fixed":"2.7.9"}]}},{"type":"GIT","repo":"https://github.com/roadiz/core-bundle-dev-app","events":[{"introduced":"61615a9afed0b4dcdf51ca475c1ece8f6b21968c"},{"fixed":"557f2fff15da91f4dd0a59d20debc4a0760c4853"}],"database_specific":{"versions":[{"introduced":"2.6.0"},{"fixed":"2.6.28"}]}},{"type":"GIT","repo":"https://github.com/roadiz/core-bundle-dev-app","events":[{"introduced":"6ebbb9a8eb917e9968c741e2c9d0f4444366e23d"},{"fixed":"c064d4c2c00245729f324e980c380afb83b49ecd"}],"database_specific":{"versions":[{"introduced":"2.4.0"},{"fixed":"2.5.44"}]}},{"type":"GIT","repo":"https://github.com/roadiz/core-bundle-dev-app","events":[{"introduced":"0"},{"fixed":"1238ea413c86babdea2d8e8c53c397b6b5ed5de9"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.3.42"}]}}],"versions":["v2.1.0","v2.1.1","v2.1.10","v2.1.11","v2.1.12","v2.1.13","v2.1.14","v2.1.15","v2.1.16","v2.1.17","v2.1.18","v2.1.19","v2.1.2","v2.1.20","v2.1.21","v2.1.22","v2.1.23","v2.1.24","v2.1.25","v2.1.26","v2.1.27","v2.1.28","v2.1.29","v2.1.3","v2.1.30","v2.1.31","v2.1.32","v2.1.33","v2.1.34","v2.1.35","v2.1.36","v2.1.37","v2.1.38","v2.1.39","v2.1.4","v2.1.40","v2.1.41","v2.1.42","v2.1.43","v2.1.44","v2.1.45","v2.1.46","v2.1.47","v2.1.48","v2.1.49","v2.1.5","v2.1.50","v2.1.51","v2.1.6","v2.1.7","v2.1.8","v2.1.9","v2.2.0","v2.2.1","v2.2.10","v2.2.11","v2.2.12","v2.2.13","v2.2.14","v2.2.15","v2.2.2","v2.2.3","v2.2.4","v2.2.5","v2.2.6","v2.2.7","v2.2.8","v2.2.9","v2.3.0","v2.3.1","v2.3.10","v2.3.11","v2.3.12","v2.3.13","v2.3.14","v2.3.15","v2.3.16","v2.3.17","v2.3.18","v2.3.19","v2.3.2","v2.3.20","v2.3.21","v2.3.22","v2.3.23","v2.3.24","v2.3.25","v2.3.26","v2.3.27","v2.3.28","v2.3.29","v2.3.3","v2.3.30","v2.3.31","v2.3.32","v2.3.33","v2.3.34","v2.3.35","v2.3.36","v2.3.37","v2.3.38","v2.3.39","v2.3.4","v2.3.40","v2.3.41","v2.3.5","v2.3.6","v2.3.7","v2.3.8","v2.3.9","v2.4.0","v2.4.1","v2.4.10","v2.4.11","v2.4.12","v2.4.13","v2.4.14","v2.4.15","v2.4.16","v2.4.17","v2.4.18","v2.4.2","v2.4.3","v2.4.4","v2.4.5","v2.4.6","v2.4.7","v2.4.8","v2.4.9","v2.5.0","v2.5.1","v2.5.10","v2.5.11","v2.5.12","v2.5.13","v2.5.14","v2.5.15","v2.5.16","v2.5.17","v2.5.18","v2.5.19","v2.5.2","v2.5.20","v2.5.21","v2.5.22","v2.5.23","v2.5.24","v2.5.25","v2.5.26","v2.5.27","v2.5.28","v2.5.29","v2.5.3","v2.5.30","v2.5.31","v2.5.32","v2.5.33","v2.5.34","v2.5.35","v2.5.36","v2.5.37","v2.5.38","v2.5.39","v2.5.4","v2.5.40","v2.5.41","v2.5.42","v2.5.43","v2.5.5","v2.5.6","v2.5.7","v2.5.8","v2.5.9","v2.6.0","v2.6.1","v2.6.10","v2.6.11","v2.6.12","v2.6.13","v2.6.14","v2.6.15","v2.6.16","v2.6.17","v2.6.18","v2.6.19","v2.6.2","v2.6.20","v2.6.21","v2.6.22","v2.6.23","v2.6.24","v2.6.25","v2.6.26","v2.6.27","v2.6.3","v2.6.4","v2.6.5","v2.6.6","v2.6.7","v2.6.8","v2.6.9","v2.7.0","v2.7.1","v2.7.2","v2.7.3","v2.7.4","v2.7.5","v2.7.6","v2.7.7","v2.7.8"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33486.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N"}]}