Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
scalar/astro v0.1.13 was discovered to contain a Server-Side Request Forgery (SSRF) in the scalar_url query parameter of the Scalar Proxy endpoint. This vulnerability allows unauthenticated attackers to force the backend server to send HTTP requests to attacker-controlled URLs, leading to authentication cookies and headers exposure and possible privilege escalation.
AnalysisAI
Server-side request forgery in scalar/astro v0.1.13 allows remote unauthenticated attackers to coerce the backend into making HTTP requests to attacker-controlled destinations via the scalar_url query parameter of the Scalar Proxy endpoint. Exploitation can expose authentication cookies and headers forwarded by the proxy, enabling account takeover and potential privilege escalation. Publicly available exploit code exists, though EPSS is low (0.03%) suggesting limited mass exploitation at this time.
Technical ContextAI
Scalar is an open-source API documentation and reference platform; the affected component is the Astro integration (scalar/astro) at version 0.1.13, which ships a proxy endpoint that fetches arbitrary URLs supplied through the scalar_url query parameter. The flaw is a textbook CWE-918 (Server-Side Request Forgery): user input is used to construct an outbound HTTP request from the server without validating the destination host, scheme, or whether internal/loopback/metadata ranges are permitted. Because the proxy forwards request headers, any session cookies or authorization tokens attached to the proxy request can be leaked to the attacker-controlled destination. The CPE in NVD is the placeholder cpe:2.3:a:n/a:n/a, indicating that no canonical vendor/product CPE has yet been assigned for scalar/astro.
RemediationAI
No vendor-released patch identified at time of analysis - neither the NVD nor EUVD record cites a fixed version, and no vendor advisory is linked in the provided references, so administrators should monitor the scalar/astro repository for a release above 0.1.13 and upgrade as soon as one is published. Until a fix is available, restrict or disable the Scalar Proxy endpoint at the reverse proxy or web server (deny requests to the proxy route that handle scalar_url), or strip/validate the scalar_url query parameter with an egress allowlist that constrains it to known documentation hosts only; both of these break the legitimate proxy-driven API try-it functionality, so expect documentation 'Try it' features to fail until restored. As a defense-in-depth control, block outbound traffic from the application host to internal RFC1918 ranges and cloud metadata endpoints (169.254.169.254, fd00:ec2::254) so that even a successful SSRF cannot reach sensitive internal services, and rotate any session cookies or API tokens that may have been forwarded through the proxy. Authoritative tracking URL: https://nvd.nist.gov/vuln/detail/CVE-2026-30118.
Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali
Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST
Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al
In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o
Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when
Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_
Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc
Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s
An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge
An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30948
GHSA-46mr-vgx5-fc36