CVE-2026-49328 - Apache Fesod (Incubating): Improper validation of user-supplied URLs leading to SSRF

June 11, 2026

Security advisory for CVE-2026-49328 regarding Server-Side Request Forgery (SSRF) in Apache Fesod (Incubating).

Description

Server-Side Request Forgery (SSRF) in the UrlImageConverter component of Apache Fesod (Incubating) fesod-sheet allows attackers to cause outbound network requests to internal or otherwise restricted resources via a user-supplied image URL.

Affected Modules and Versions

Fesod Spreadsheet (fesod-sheet):

2.0.1-incubating

Mitigation

Users of affected versions should upgrade to the corresponding fixed version.

Affected version(s)	Fix version
2.0.1-incubating	2.0.2-incubating

References

https://github.com/apache/fesod/pull/917
https://github.com/apache/fesod/releases/tag/2.0.2-incubating
https://fesod.apache.org/docs/download
https://lists.apache.org/thread/c1pb5b66h02p9tlrnfbwcgcz85v16fkj

Description​

Affected Modules and Versions​

Mitigation​

References​

Description

Affected Modules and Versions

Mitigation

References