From 808a27271230cebc091da31e2860ba83ef3c341d Mon Sep 17 00:00:00 2001
From: Bengbengbalabalabeng <baicaixiaozhan1512@163.com>
Date: Thu, 11 Jun 2026 19:23:03 +0800
Subject: [PATCH] docs(blog): add CVE-2026-49328 security advisory

---
 website/blog/2026-06-11-cve-2026-49328.md     | 34 +++++++++++++++++++
 .../2026-06-11-cve-2026-49328.md              | 34 +++++++++++++++++++
 2 files changed, 68 insertions(+)
 create mode 100644 website/blog/2026-06-11-cve-2026-49328.md
 create mode 100644 website/i18n/zh-cn/docusaurus-plugin-content-blog/2026-06-11-cve-2026-49328.md

diff --git a/website/blog/2026-06-11-cve-2026-49328.md b/website/blog/2026-06-11-cve-2026-49328.md
new file mode 100644
index 000000000..349a50603
--- /dev/null
+++ b/website/blog/2026-06-11-cve-2026-49328.md
@@ -0,0 +1,34 @@
+---
+title: "CVE-2026-49328 - Apache Fesod (Incubating): Improper validation of user-supplied URLs leading to SSRF"
+description: Security advisory for CVE-2026-49328.
+tags: [announcement, security, CVE-2026-49328]
+---
+
+Security advisory for **CVE-2026-49328** regarding Server-Side Request Forgery (SSRF) in Apache Fesod (Incubating).
+
+<!--truncate-->
+
+## Description
+
+Server-Side Request Forgery (SSRF) in the `UrlImageConverter` component of Apache Fesod (Incubating) `fesod-sheet` allows attackers to cause outbound network requests to internal or otherwise restricted resources via a user-supplied image URL.
+
+## Affected Modules and Versions
+
+Fesod Spreadsheet (`fesod-sheet`):
+
+- 2.0.1-incubating
+
+## Mitigation
+
+Users of affected versions should upgrade to the corresponding fixed version.
+
+| Affected version(s) | Fix version      |
+|---------------------|------------------|
+| 2.0.1-incubating    | 2.0.2-incubating |
+
+## References
+
+- [https://github.com/apache/fesod/pull/917](https://github.com/apache/fesod/pull/917)
+- [https://github.com/apache/fesod/releases/tag/2.0.2-incubating](https://github.com/apache/fesod/releases/tag/2.0.2-incubating)
+- [https://fesod.apache.org/docs/download](https://fesod.apache.org/docs/download)
+- [https://lists.apache.org/thread/c1pb5b66h02p9tlrnfbwcgcz85v16fkj](https://lists.apache.org/thread/c1pb5b66h02p9tlrnfbwcgcz85v16fkj)
diff --git a/website/i18n/zh-cn/docusaurus-plugin-content-blog/2026-06-11-cve-2026-49328.md b/website/i18n/zh-cn/docusaurus-plugin-content-blog/2026-06-11-cve-2026-49328.md
new file mode 100644
index 000000000..0e082a931
--- /dev/null
+++ b/website/i18n/zh-cn/docusaurus-plugin-content-blog/2026-06-11-cve-2026-49328.md
@@ -0,0 +1,34 @@
+---
+title: "CVE-2026-49328 - Apache Fesod (Incubating): 对用户提供的URL验证不当导致SSRF漏洞"
+description: 关于 CVE-2026-49328 的安全通告.
+tags: [announcement, security, CVE-2026-49328]
+---
+
+关于 Apache Fesod (Incubating) 中服务器端请求伪造（SSRF）漏洞 **CVE-2026-49328** 的安全通告。
+
+<!--truncate-->
+
+## 漏洞描述
+
+Apache Fesod (Incubating) 的 `fesod-sheet` 模块中 `UrlImageConverter` 组件存在服务器端请求伪造（SSRF）漏洞。攻击者可以通过提供恶意的图片 URL，诱使系统向内部网络或其他受限资源发起出站网络请求。
+
+## 受影响的模块与版本
+
+Fesod Spreadsheet (`fesod-sheet`):
+
+- 2.0.1-incubating
+
+## 修复建议
+
+建议受影响版本的用户尽快升级到对应的修复版本。
+
+| 受影响版本            | 修复版本             |
+|------------------|------------------|
+| 2.0.1-incubating | 2.0.2-incubating |
+
+## 参考链接
+
+- [https://github.com/apache/fesod/pull/917](https://github.com/apache/fesod/pull/917)
+- [https://github.com/apache/fesod/releases/tag/2.0.2-incubating](https://github.com/apache/fesod/releases/tag/2.0.2-incubating)
+- [https://fesod.apache.org/docs/download](https://fesod.apache.org/docs/download)
+- [https://lists.apache.org/thread/c1pb5b66h02p9tlrnfbwcgcz85v16fkj](https://lists.apache.org/thread/c1pb5b66h02p9tlrnfbwcgcz85v16fkj)