CVE-2026-33486 | roadiz core-bundle-dev-app up to 2.3.41/2.5.43/2.6.27/2.7.8 Environment Variable server-side request forgery

VDB-353701 · CVE-2026-33486 · GCVE-0-2026-33486 ROADIZ CORE-BUNDLE-DEV-APP UP TO 2.3.41/2.5.43/2.6.27/2.7.8 ENVIRONMENT VARIABLE SERVER-SIDE REQUEST FORGERY HISTORYDIFFRELATEJSONXMLCTI CVSS Meta Temp Score Current Exploit Price (≈) CTI Interest Score 5.6 $0-$5k 3.43+ Summaryinfo A vulnerability was found in roadiz core-bundle-dev-app up to 2.3.41/2.5.43/2.6.27/2.7.8. It has been classified as critical. The impacted element is an unknown function of the component Environment Variable Handler. This manipulation causes server-side request forgery. This vulnerability is handled as CVE-2026-33486. The attack can be initiated remotely. There is not any exploit available. Upgrading the affected component is recommended. Detailsinfo A vulnerability classified as critical was found in roadiz core-bundle-dev-app up to 2.3.41/2.5.43/2.6.27/2.7.8. Affected by this vulnerability is an unknown code block of the component Environment Variable Handler. The manipulation with an unknown input leads to a server-side request forgery vulnerability. The CWE definition for the vulnerability is CWE-918. The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is: Roadiz is a polymorphic content management system based on a node system that can handle many types of services. A vulnerability in roadiz/documents prior to versions 2.7.9, 2.6.28, 2.5.44, and 2.3.42 allows an authenticated attacker to read any file on the server's local file system that the web server process has access to, including highly sensitive environment variables, database credentials, and internal configuration files. Versions 2.7.9, 2.6.28, 2.5.44, and 2.3.42 contain a patch. The advisory is shared at github.com. This vulnerability is known as CVE-2026-33486 since 03/20/2026. The exploitation appears to be easy. The attack can be launched remotely. The exploitation needs additional levels of successful authentication. Neither technical details nor an exploit are publicly available. Upgrading to version 2.3.42, 2.5.44, 2.6.28 or 2.7.9 eliminates this vulnerability. Productinfo Vendor roadiz Name core-bundle-dev-app Version 2.3.0 2.3.1 2.3.2 2.3.3 2.3.4 2.3.5 2.3.6 2.3.7 2.3.8 2.3.9 2.3.10 2.3.11 2.3.12 2.3.13 2.3.14 2.3.15 2.3.16 2.3.17 2.3.18 2.3.19 2.3.20 2.3.21 2.3.22 2.3.23 2.3.24 2.3.25 2.3.26 2.3.27 2.3.28 2.3.29 2.3.30 2.3.31 2.3.32 2.3.33 2.3.34 2.3.35 2.3.36 2.3.37 2.3.38 2.3.39 2.3.40 2.3.41 2.5.0 2.5.1 2.5.2 2.5.3 2.5.4 2.5.5 2.5.6 2.5.7 2.5.8 2.5.9 2.5.10 2.5.11 2.5.12 2.5.13 2.5.14 2.5.15 2.5.16 2.5.17 2.5.18 2.5.19 2.5.20 2.5.21 2.5.22 2.5.23 2.5.24 2.5.25 2.5.26 2.5.27 2.5.28 2.5.29 2.5.30 2.5.31 2.5.32 2.5.33 2.5.34 2.5.35 2.5.36 2.5.37 2.5.38 2.5.39 2.5.40 2.5.41 2.5.42 2.5.43 2.6.0 2.6.1 2.6.2 2.6.3 2.6.4 2.6.5 2.6.6 2.6.7 2.6.8 2.6.9 2.6.10 2.6.11 2.6.12 2.6.13 2.6.14 2.6.15 2.6.16 2.6.17 2.6.18 2.6.19 2.6.20 2.6.21 2.6.22 2.6.23 2.6.24 2.6.25 2.6.26 2.6.27 2.7.0 2.7.1 2.7.2 2.7.3 2.7.4 2.7.5 2.7.6 2.7.7 2.7.8 Website Product: https://github.com/roadiz/core-bundle-dev-app/ CPE 2.3info 🔒 🔒 🔒 CPE 2.2info 🔒 🔒 🔒 CVSSv4info VulDB Vector: 🔒 VulDB Reliability: 🔍 CVSSv3info VulDB Meta Base Score: 5.7 VulDB Meta Temp Score: 5.6 VulDB Base Score: 4.7 VulDB Temp Score: 4.5 VulDB Vector: 🔒 VulDB Reliability: 🔍 CNA Base Score: 6.8 CNA Vector (GitHub_M): 🔒 CVSSv2info Vector Complexity Authentication Confidentiality Integrity Availability Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock VulDB Base Score: 🔒 VulDB Temp Score: 🔒 VulDB Reliability: 🔍 Exploitinginfo Class: Server-side request forgery CWE: CWE-918 CAPEC: 🔒 ATT&CK: 🔒 Physical: No Local: No Remote: Yes Availability: 🔒 Status: Not defined Price Prediction: 🔍 Current Price Estimation: 🔒 0-Day Unlock Unlock Unlock Unlock Today Unlock Unlock Unlock Unlock Threat Intelligenceinfo Interest: 🔍 Active Actors: 🔍 Active APT Groups: 🔍 Countermeasuresinfo Recommended: Upgrade Status: 🔍 0-Day Time: 🔒 Upgrade: core-bundle-dev-app 2.3.42/2.5.44/2.6.28/2.7.9 Timelineinfo 03/20/2026 CVE reserved 03/26/2026 +6 days Advisory disclosed 03/26/2026 +0 days VulDB entry created 03/26/2026 +0 days VulDB entry last update Sourcesinfo Product: github.com Advisory: github.com Status: Confirmed CVE: CVE-2026-33486 (🔒) GCVE (CVE): GCVE-0-2026-33486 GCVE (VulDB): GCVE-100-353701 Entryinfo Created: 03/26/2026 19:06 Changes: 03/26/2026 19:06 (64) Complete: 🔍 Cache ID: 99:126:101 Discussion No comments yet. Languages: en. Please log in to comment. ◂ PreviousOverviewNext ▸