Skip to main content

Known CVE-2026-28508

HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-03-06 security-advisories@github.com GHSA-fcrh-fqxh-6fx6
CSRF SSRF Known
8.6
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.6 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 22:06 vuln.today
CVE Published
Mar 06, 2026 - 05:16 nvd
HIGH 8.6

DescriptionGitHub Advisory

Idno is a social publishing platform. Prior to version 1.6.4, a logic error in the API authentication flow causes the CSRF protection on the URL unfurl service endpoint to be trivially bypassed by any unauthenticated remote attacker. Combined with the absence of a login requirement on the endpoint itself, this allows an attacker to force the server to make arbitrary outbound HTTP requests to any host, including internal network addresses and cloud instance metadata services, and retrieve the response content. This issue has been patched in version 1.6.4.

AnalysisAI

Idno prior to version 1.6.4 contains an authentication bypass in the URL unfurl API endpoint that allows unauthenticated attackers to trigger arbitrary outbound HTTP requests from the server. An attacker can exploit this to access internal network addresses and cloud metadata services, potentially exposing sensitive configuration and credentials. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Send crafted request to URL unfurl endpoint
Exploit
Bypass CSRF protection via logic error
Execution
Force server to make arbitrary HTTP requests
Impact
Retrieve sensitive response data
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Idno versions prior to 1.6.4 with URL unfurl service endpoint accessible without authentication. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Exploitation no authentication required. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A remote attacker without authentication could exploit this vulnerability to force the server to make arbitrary outbound HTTP requests to any host, including.
Remediation Fixed in version 1.6.4.. Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 7 days: Identify all affected systems and apply vendor patches promptly. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-28508 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy