Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
A vulnerability was identified in hcengineering Huly Platform 0.7.382. This affects an unknown part of the file server/front/src/index.ts of the component Import Endpoint. Such manipulation leads to server-side request forgery. The attack can be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Server-side request forgery in hcengineering Huly Platform 0.7.382 allows authenticated remote attackers to make arbitrary HTTP requests from the affected server via manipulation of the Import Endpoint in server/front/src/index.ts, potentially enabling access to internal resources, metadata disclosure, or lateral movement within the infrastructure. Publicly available exploit code exists, and the vendor has not responded to disclosure attempts.
Technical ContextAI
The vulnerability is a server-side request forgery (SSRF) flaw classified under CWE-918, occurring in the Import Endpoint handler of the Huly Platform. The flaw exists in server/front/src/index.ts, where insufficient input validation or URL filtering allows an authenticated attacker to inject arbitrary URLs that the server will fetch on their behalf. This attack leverages the server's network position and credentials to access internal systems, cloud metadata endpoints (e.g., AWS IMDSv1), or services restricted to the server's network segment. The affected product is hcengineering Huly Platform, a collaborative work management platform, with the specific vulnerable version identified as 0.7.382.
RemediationAI
Upgrade hcengineering Huly Platform to a version newer than 0.7.382 as soon as one becomes available; however, no specific patched version has been confirmed as released at the time of analysis. No vendor-released patch identified at time of analysis. In the interim, implement network-level controls to restrict outbound HTTP/HTTPS requests from the Huly Platform server to only necessary external endpoints, and configure firewall rules to block or rate-limit requests to internal IP ranges (169.254.169.254 for metadata, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and localhost addresses. Additionally, apply principle-of-least-privilege to API tokens and service accounts used by the Import Endpoint to minimize lateral movement risk. For more details, consult the disclosure record at https://vuldb.com/vuln/355413.
More in Huly Platform
View allSame weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19174
GHSA-c8m8-4468-h6xx