CVE-2026-25870 is a server-side request forgery (SSRF) vulnerability affecting DoraCMS version 3.1 and prior. It exists in the UEditor remote image fetch functionality, where user-supplied URLs are fetched by the server without sufficient validation or destination restrictions. The implementation does not enforce allowlists, block internal/private IP addresses, or apply request timeouts or response size limits. This allows attackers to induce the server to make HTTP/HTTPS requests to arbitrary hosts, including internal network resources, potentially enabling internal network reconnaissance and denial of service through resource exhaustion. The vulnerability has a CVSS 4.0 score of 6.9 (medium severity). There is no vendor advisory or patch information available at this time.

An attacker can exploit this SSRF vulnerability to cause the DoraCMS server to make unauthorized HTTP/HTTPS requests to arbitrary external or internal network hosts. This can lead to internal network scanning, potentially exposing sensitive internal services. Additionally, the lack of request timeouts and response size limits may allow denial of service conditions via resource exhaustion on the server. There are no known exploits in the wild reported. The vulnerability is rated medium severity with a CVSS 4.0 score of 6.9.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider disabling or restricting the UEditor remote image fetch functionality to prevent untrusted URL inputs. Implementing network-level controls to restrict outbound HTTP/HTTPS requests from the server to trusted destinations may help mitigate risk. Monitor vendor channels for updates regarding patches or official mitigations.