SSH
CVE-2026-30832
CRITICAL
Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
Lifecycle Timeline
4DescriptionGitHub Advisory
Soft Serve is a self-hostable Git server for the command line. From version 0.6.0 to before version 0.11.4, an authenticated SSH user can force the server to make HTTP requests to internal/private IP addresses by running repo import with a crafted --lfs-endpoint URL. The initial batch request is blind (the response from a metadata endpoint won't parse as valid LFS JSON), but an attacker hosting a fake LFS server can chain this into full read access to internal services by returning download URLs that point at internal targets. This issue has been patched in version 0.11.4.
AnalysisAI
SSRF in Soft Serve Git server versions 0.6.0 to 0.11.3 allows authenticated attackers to make requests to internal services. PoC and patch available.
Technical ContextAI
CWE-918 server-side request forgery. Authenticated users can trigger server-side requests to internal network addresses through the Git server.
RemediationAI
Update to Soft Serve 0.11.4 or later.
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which
GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, whi
GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of
freeSSHd.exe in freeSSHd through 1.2.6 allows remote attackers to bypass authentication via a crafted session, as demons
GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, whi
OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. Rated medium se
sshd in OpenSSH before 7.3, when SHA256 or SHA512 are used for user password hashing, uses BLOWFISH hashing on a static
The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processin
The auth_password function in auth-passwd.c in sshd in OpenSSH before 7.3 does not limit password lengths for password a
Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to
The SSH USERAUTH CHANGE REQUEST feature in SSH Tectia Server 6.0.4 through 6.0.20, 6.1.0 through 6.1.12, 6.2.0 through 6
The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remot
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allVendor StatusVendor
SUSE
Severity: CriticalShare
External POC / Exploit Code
Leaving vuln.today
GHSA-3fvx-xrxq-8jvv