Skip to main content

PromptHub CVE-2026-42261

| EUVDEUVD-2026-28504 HIGH
Improper Input Validation (CWE-20)
2026-05-08 GitHub_M
7.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch available
May 08, 2026 - 05:01 EUVD
Source Code Evidence Fetched
May 08, 2026 - 04:32 vuln.today
Analysis Generated
May 08, 2026 - 04:32 vuln.today
CVE Published
May 08, 2026 - 03:11 nvd
HIGH 7.1

DescriptionGitHub Advisory

PromptHub is an all-in-one AI toolbox for prompt, skill, and agent management. From version 0.4.9 to before version 0.5.4, apps/web/src/routes/skills.ts exposes an authenticated endpoint POST /api/skills/fetch-remote that fetches a user-supplied URL server-side and reflects the response body (up to 5 MB) back to the caller. The SSRF protection in apps/web/src/utils/remote-http.ts (isPrivateIPv6) attempts to block private/loopback destinations, but multiple alternate-but-valid IPv6 representations bypass the check. The bypasses reach any IPv4 address (loopback, RFC1918, link-local) via IPv4-mapped IPv6 in hex form, and the canonical ::1 via any representation that isn't the literal string "::1". Any authenticated user (role: user or admin) can trigger the SSRF. On deployments configured with ALLOW_REGISTRATION=true - a supported and documented configuration - this means any internet user who can register. This issue has been patched in version 0.5.4.

AnalysisAI

Server-Side Request Forgery (SSRF) in PromptHub 0.4.9 through 0.5.3 allows authenticated users to bypass IPv6 address validation and probe internal network resources. The /api/skills/fetch-remote endpoint accepts user-supplied URLs and fetches them server-side, reflecting up to 5 MB of response data. Flawed IPv6 validation allows attackers to reach RFC1918 private networks, loopback addresses, and link-local destinations using IPv4-mapped IPv6 hex representations and alternate ::1 notations. When ALLOW_REGISTRATION=true (a documented configuration), any internet user can register and exploit this vulnerability. Vendor-released patch: version 0.5.4. EPSS data not available; no evidence of active exploitation (not in CISA KEV).

Technical ContextAI

PromptHub is a Node.js-based AI toolbox for managing prompts, skills, and agents. The vulnerability resides in apps/web/src/routes/skills.ts, which implements a server-side URL fetch feature for authenticated users. The SSRF protection function isPrivateIPv6 in apps/web/src/utils/remote-http.ts performs insufficient validation of IPv6 addresses. The CWE-20 (Improper Input Validation) classification reflects the root cause: the filter fails to normalize IPv6 addresses before comparison, allowing multiple valid representations of the same address to bypass string-matching checks. IPv4-mapped IPv6 addresses in hexadecimal form (e.g., ::ffff:7f00:1 for 127.0.0.1) and non-canonical representations of ::1 (such as 0:0:0:0:0:0:0:1) evade the blocklist. This enables authenticated attackers to proxy requests to internal services, cloud metadata endpoints (169.254.169.254), and private network resources, potentially exfiltrating sensitive data or pivoting to internal systems.

RemediationAI

Upgrade immediately to PromptHub version 0.5.4 or later, released by the vendor to address this vulnerability. Download links for patched versions: Windows x64/arm64 installers (PromptHub-Setup-0.5.4-x64.exe, PromptHub-Setup-0.5.4-arm64.exe), macOS Apple Silicon/Intel DMG files (PromptHub-0.5.4-arm64.dmg, PromptHub-0.5.4-x64.dmg), Linux AppImage and deb packages (PromptHub-0.5.4-x64.AppImage, PromptHub-0.5.4-amd64.deb) available at https://github.com/legeling/PromptHub/releases/tag/v0.5.4. For macOS users, execute 'sudo xattr -rd com.apple.quarantine /Applications/PromptHub.app' after installation to resolve Gatekeeper warnings. If immediate patching is not feasible, implement network-level egress filtering to block server outbound connections to RFC1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), loopback addresses (127.0.0.0/8, ::1), link-local ranges (169.254.0.0/16, fe80::/10), and cloud metadata endpoints (169.254.169.254). Alternatively, disable the /api/skills/fetch-remote endpoint via reverse proxy rules or application firewall, though this eliminates the remote skill fetch functionality. For deployments with ALLOW_REGISTRATION=true, immediately disable public registration and review existing user accounts for suspicious registrations, as this configuration enabled unauthenticated internet users to create accounts and exploit the SSRF.

CVE-2012-0217 HIGH POC
7.2 Jun 12

The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and

CVE-2026-33309 CRITICAL POC
9.9 Mar 19

An authenticated path traversal vulnerability in Langflow's file upload functionality allows attackers to write arbitrar

CVE-2019-7304 CRITICAL POC
9.8 Apr 23

Canonical snapd before version 2.37.1 incorrectly performed socket owner validation, allowing an attacker to run arbitra

CVE-2026-33186 CRITICAL POC
9.1 Mar 18

An authorization bypass vulnerability in gRPC-Go allows attackers to circumvent path-based access control by sending HTT

CVE-2026-50180 HIGH POC
8.7 Jul 02

Arbitrary file read in Langroid's SQLChatAgent (<= 0.63.0) lets an attacker who can influence the LLM-generated SQL exfi

CVE-2020-14966 HIGH POC
7.5 Jun 22

An issue was discovered in the jsrsasign package through 8.0.18 for Node.js. Rated high severity (CVSS 7.5), this vulner

CVE-2020-13822 HIGH POC
7.7 Jun 04

The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' byte

CVE-2026-29181 HIGH POC
7.5 Apr 07

Resource exhaustion in OpenTelemetry Go propagation library (v1.41.0 and earlier) enables remote attackers to trigger se

CVE-2019-7303 HIGH POC
7.5 Apr 23

A vulnerability in the seccomp filters of Canonical snapd before version 2.37.4 allows a strict mode snap to insert char

CVE-2014-4699 MEDIUM POC
6.9 Jul 09

The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved

CVE-2017-7725 MEDIUM POC
6.1 Apr 13

concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca

CVE-2026-48816 MEDIUM POC
6.5 Jul 01

Timestamp forgery in sigstore-js allows an attacker supplying a crafted bundle v0.2 to manipulate certificate validity w

Share

CVE-2026-42261 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy