• Fixed an SSRF security issue in the rule package process, found and reported by pyuysig, Yuming Zhang, and Song Li of Zhejiang University via the security advisories.
• Updated the translations for multiple languages.

We’re thankful for the analysis and reporting by pyuysig, Yuming Zhang, and Song Li. Thank you for using the security advisories to report the issue to us in private. We’re also thankful for all other contributions, like translations.

We recommend to update to v1.4.13 as soon as you can.

Details of the security issue

Description of the security issue

The rule package process allowed redirects and accessing private networks. This can be used to mount an attack on mosparo, especially via the APIs and the web cron job routes. With this method, an attacker can bypass the allowlists configured in mosparo (Administration -> Security settings) and make requests to these routes, even if the allowlists protect them.

Risk assessment

The risk of this security issue in the rule package process is manageable. The attacker cannot use this method to obtain any information from mosparo. All routes except one are protected by authentication. The only directly exposed API is the health check, which provides no data other than the system status. The attacker can only request a route; the response from the request is not visible to the user. The biggest issues with this security issue are two things:

1. It is possible to map the routes and therefore detect the version of a mosparo installation.
2. It is possible to overload the server if the web cron job is active and the attacker knows its secret key.

For an attacker to use this security issue, the following requirements need to be met:

• The attacker needs a non-administrative user in your mosparo installation with the Owner or Editor role. Administrative users (users with the “Is administrator” role) can already see all this information in the administration area and gain no benefit from this method.
• The allowlists need to be configured in the Administration -> Security settings. Otherwise, the routes are exposed to the internet anyway, and there is no benefit in using this security issue (except for accessing the health check API).
• You need to have enabled the web cron job, and the attacker needs to know the secret key for it; otherwise, overloading the web server by calling it is not possible.

Changes to mitigate the security issue

The following changes resolve the security issue:

• Redirects are no longer followed, and private networks are no longer accessible by the rule package process. This solves the problem completely because, for the attack method, the process must follow the redirects.
• A non-administrative user will no longer see the exact error message when adding a rule package. The user will see an error message, but the message is the same across all error cases.
• A minimum refresh interval of 1 hour is applied to all rule packages, making this attack method even more unusable.

It is possible to allow redirects and access to private networks, and to adjust the minimum refresh interval using newly added environment variables.

With the release of version 1.4.13, we’re applying new default values that prevent redirects and private network access, enforce a minimum refresh interval, and replace specific error messages with general ones for non-administrative users.

The post Release v1.4.13 appeared first on mosparo.

• Since version 1.4.0, the field value has not been properly escaped, which could lead to a potential XSS issue.
• On the submission detail page, we added two buttons to navigate to the newer and older submissions. Suggested by Pink_Imagination
• Fixed a small UI issue with icons in buttons
• Updated the translations.

The post Release v1.4.12 appeared first on mosparo.

• Updated symfony/process to mitigate CVE-2026-24739 on Windows, reported by Tekka27
• Updated all the other backend dependencies
• Fixed a small typo in one of the strings, reported by ExeQue

Thank you very much for your reports and help to make mosparo better!

The post Release v1.4.11 appeared first on mosparo.

• Added two new subtypes for the Word rule type: “Exact word” and “Entire field”. Suggested and inspired by winkelement in #382. Learn more about these in the documentation.
• Using 0.0 as a rating value for a rule item was not correctly processed. Reported by winkelement in #391.
• Fixed an undefined variable in the import process.
• Added a special validation for too high subnet suffixes in the rule editor.

Thank you, winkelement, and all our other contributors, for your contributions!

The post Release v1.4.10 appeared first on mosparo.

• Fixed an issue with the standard Docker image with the `public/resources` directory, introduced in the last version (v1.4.8). Reported by softlion in #388.
• Updated the Italian and Polish translations provided by our contributors.
• Fixed the name “mosparo” in some of the translation files.

Thank you for your contributions and help in making mosparo better!

The post Release v1.4.9 appeared first on mosparo.

• Fixed a deadlock exception in the form validation API. The deadlock occurred when a bot (most likely) tried to validate the form data multiple times simultaneously using the same submit token. With this release, we’ve split the problematic query so that the deadlock cannot happen again. Reported by demon_ru in the WordPress support forum.
• Updated the translations for Italian, Korean, and Slovenian. Thank you for your contributions!

The post Release v1.4.8 appeared first on mosparo.

• Fixed the incorrect handling of lowercase values in the validation process, which incorrectly ignored rule items because of the different cases. Reported by GeorgBNM in #367/#380
• Fixed the wrong use of the native client if two curl functions are not available. Found when solving #365
• Added the missing rewrite rule to fix the update functionality if the document root of the host is not set to the public directory. Reported by mpaglia0 in #365

Thank you very much for reporting these issues!

The post Release v1.4.7 appeared first on mosparo.

• Added the required logic to only store the relevant information in the session to prevent errors 500s when trying to store too much information. Reported by andrevabo in #373
• Added a better method to solve the PoW puzzle in a non-blocking way. Reported by Sapper-Morton in #376
• Updated the backend and validators translations for Czech.

Thank you very much for your bug reports and contributions.

The post Release v1.4.6 appeared first on mosparo.

• Fixed an issue that occurred when adding multiple invalid items simultaneously.
• Added the time to the XHR requests in the update process to bypass the browser cache (#365). Reported by mpaglia0
• Added the functionality to adjust the page size in the rule item editor (#366). Suggested by winkelement
• Updated all backend dependencies.
• Updated the backend translations.

Thank you very much for all your contributions!

The post Release v1.4.5 appeared first on mosparo.

• Fixed the bug where mosparo used disabled rules and rule packages to validate a submission. Reported by winkelement in #364
• Updated the French translations for frontend, backend, and validators. Provided by Bamowen via Weblate

Thank you very much for all your contributions and feedback!

The post Release v1.4.4 appeared first on mosparo.