Skip to main content

Woahai321 ListSync CVE-2026-3958

LOW
Server-Side Request Forgery (SSRF) (CWE-918)
2026-03-11 cna@vuldb.com
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

5
Severity Changed
Apr 29, 2026 - 01:11 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:11 NVD
5.3 (MEDIUM) 2.1 (LOW)
CVSS changed
Apr 22, 2026 - 21:37 NVD
6.3 (MEDIUM) 5.3 (MEDIUM)
Analysis Generated
Mar 12, 2026 - 22:07 vuln.today
CVE Published
Mar 11, 2026 - 22:16 nvd
MEDIUM 6.3

DescriptionCVE.org

A vulnerability has been found in Woahai321 ListSync up to 0.6.6. This issue affects the function requests.post of the file list-sync-main/api_server.py of the component JSON Handler. The manipulation leads to server-side request forgery. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Woahai321 ListSync versions up to 0.6.6 contain a server-side request forgery vulnerability in the JSON handler component that allows authenticated remote attackers to make arbitrary HTTP requests from the affected server. Public exploit code exists for this vulnerability, and the vendor has not yet responded to the disclosure. An attacker with valid credentials can leverage this to access internal resources or attack systems on the server's network.

Technical ContextAI

This vulnerability (CWE-918: Server-Side Request Forgery (SSRF)) affects A vulnerability has been found in Woahai321 ListSync. has been found in Woahai321 ListSync up to 0.6.6. This issue affects the function requests.post of the file list-sync-main/api_server.py of the component JSON Handler. The manipulation leads to server-side request forgery. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

Affected ProductsAI

Product: A vulnerability has been found in Woahai321 ListSync. Versions: up to 0.6.6..

RemediationAI

Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.

Share

CVE-2026-3958 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy