CVE-2025-63551

Published: Nov 6, 2025

Modified: Nov 7, 2025

PUBLISHED

Description

A Server-Side Request Forgery (SSRF) vulnerability, achievable through an XML External Entity (XXE) injection, exists in MetInfo Content Management System (CMS) thru 8.1. This flaw stems from a defect in the XML parsing logic, which allows an attacker to construct a malicious XML entity that forces the server to initiate an HTTP request to an arbitrary internal or external network address. Successful exploitation could lead to internal network reconnaissance, port scanning, or the retrieval of sensitive information. The vulnerability may be present in the backend API called by or associated with the path `/admin/#/webset/?head_tab_active=0`, where user-provided XML data is processed.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://github.com/sh4ll0t/SSRF-Vulnerability-in-MetInfo-via-XXE-Injection/blob/main/README.md

https://github.com/sh4ll0t/SSRF-Vulnerability-in-MetInfo-via-XXE-Injection

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-63551

Description

Affected Products

References