Severity: important Affected versions:
- Apache Fesod (Incubating) (org.apache.fesod:fesod-sheet) before 2.0.2-incubating Description: Server-Side Request Forgery (SSRF) in the UrlImageConverter component of Apache Fesod (Incubating) fesod-sheet before 2.0.2-incubating allows attackers to cause outbound network requests to internal or otherwise restricted resources via a user-supplied image URL. Users are recommended to upgrade to version 2.0.2-incubating, which fixes this issue. This issue is being tracked as apache/fesod#917 Credit: Xu Han (finder) References: https://github.com/apache/fesod/pull/917 https://github.com/apache/fesod/releases/tag/2.0.2-incubating https://fesod.apache.org/docs/download https://fesod.apache.org https://www.cve.org/CVERecord?id=CVE-2026-49328 https://issues.apache.org/jira/browse/apache/fesod#917
