CVE-2026-6625— moxi624 Mogu Blog v2 Picture Storage Service LocalFileServiceImpl.java LocalFileServiceImpl.uploadPictureByUrl server-side request forgery
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-6625
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
moxi624 Mogu Blog v2 Picture Storage Service LocalFileServiceImpl.java LocalFileServiceImpl.uploadPictureByUrl server-side request forgery
Source: NVD (National Vulnerability Database)
Vulnerability Description
A security vulnerability has been detected in moxi624 Mogu Blog v2 up to 5.2. Affected by this vulnerability is the function LocalFileServiceImpl.uploadPictureByUrl of the file mogu_picture/src/main/java/com/moxi/mogublog/picture/service/impl/LocalFileServiceImpl.java of the component Picture Storage Service. The manipulation leads to server-side request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
服务端请求伪造(SSRF)
Source: NVD (National Vulnerability Database)
Vulnerability Title
MoguBlog(蘑菇博客) 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
MoguBlog(蘑菇博客)是中国Streamlet个人开发者的一个基于微服务架构的前后端分离博客系统。 MoguBlog(蘑菇博客) v2 5.2及之前版本存在安全漏洞,该漏洞源于对文件mogu_picture/src/main/java/com/moxi/mogublog/picture/service/impl/LocalFileServiceImpl.java中Picture Storage Service组件LocalFileServiceImpl.uploadPictureByUrl函数的操作
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| moxi624 | Mogu Blog v2 | 5.0 | - |
II. Public POCs for CVE-2026-6625
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-6625
Please Login to view more intelligence information
IV. Related Vulnerabilities
Same product: Mogu Blog v2
- CVE-2025-13816
moxi159753 Mogu Blog v2 ZIP File unzipFile FileOperation.unz - CVE-2025-13815
moxi159753 Mogu Blog v2 pictures unrestricted upload - CVE-2025-13814
moxi159753 Mogu Blog v2 uploadPicsByUrl LocalFileServiceImpl - CVE-2025-13813
moxi159753 Mogu Blog v2 Storage Management Endpoint storage - CVE-2023-2101
moxi624 Mogu Blog v2 uploadPicsByUrl uploadPictureByUrl abso
Same weakness: CWE-918
- CVE-2026-44313
LinkWarden: Server-Side Request Forgery (SSRF) in Link Creat - CVE-2026-42352
pygeoapi 0.23.x: Unauthenticated SSRF via OGC API - Processe - CVE-2026-42346
Postiz: TOCTOU DNS rebinding bypasses all SSRF URL validatio - CVE-2026-42339
New API: SSRF Filter Bypass via 0.0.0.0 - CVE-2026-44286
FastGPT: SSRF Vulnerability in Laf Workflow Node via Missing
V. Comments for CVE-2026-6625
No comments yet