What is CVE-2026-35461?

CVE-2026-35461 is a medium-severity vulnerability in Papra-hq Papra, classified under Server-Side Request Forgery (SSRF). CVSS score: 5.0/10. Published 2026-04-07.

How severe is CVE-2026-35461?

Medium severity. CVSS v3 base score is 5.0 out of 10.

SSRF in Papra-hq Papra

CVE-2026-35461

Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, the Papra webhook system allows authenticated users to register arbitrary URLs as webhook endpoints with no validation of the destination address. The ser…

Vulnerability class: SSRF (Server-Side Request Forgery)

EPSS: 0.000 (10.5th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.0 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N.

Affected products

Papra-hq Papra — versions < 26.4.0

Weakness classification (CWE)

CWE-918 — Server-Side Request Forgery (SSRF)

References

https://github.com/papra-hq/papra/security/advisories/GHSA-cjw7-qg95-58mq (x_refsource_CONFIRM)

Frequently asked questions

What is CVE-2026-35461?: CVE-2026-35461 is a medium-severity vulnerability in Papra-hq Papra, classified under Server-Side Request Forgery (SSRF). CVSS score: 5.0/10. Published 2026-04-07.
How severe is CVE-2026-35461?: Medium severity. CVSS v3 base score is 5.0 out of 10.