Skip to main content

Stoatchat CVE-2026-63088

| EUVDEUVD-2026-44970 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-07-16 VulnCheck
7.7
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.6 HIGH

Remote, unauthenticated, low-complexity SSRF (AV:N/AC:L/PR:N/UI:N) with scope change (S:C) exposing internal services' confidentiality (C:H); no direct integrity/availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
Jul 16, 2026 - 17:15 vuln.today
Analysis Generated
Jul 16, 2026 - 17:15 vuln.today
CVE Published
Jul 16, 2026 - 16:40 cve.org
HIGH 7.7

DescriptionCVE.org

stoatchat before 0.14.0 contains a server-side request forgery (SSRF) vulnerability that allows unauthenticated network-accessible attackers to bypass the DNS-based IP blocklist by exploiting incomplete address validation in the url_is_blacklisted function, which inspects only the first resolved address while the underlying HTTP client iterates all cached addresses.

AnalysisAI

Server-side request forgery in Stoatchat before 0.14.0 lets unauthenticated, network-accessible attackers reach internal services that a DNS-based IP blocklist was meant to protect. The url_is_blacklisted function validates only the first resolved address, while the underlying HTTP client iterates over all cached DNS addresses, so a hostname resolving to both an allowed and an internal/blocked IP slips past the check. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify internet-exposed Stoatchat URL-fetch feature
Delivery
Register hostname with multi-record DNS (benign + internal IP)
Exploit
Submit crafted URL, pass first-address blocklist check
Execution
HTTP client connects to internal/metadata address
Impact
Read or interact with internal service responses

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target Stoatchat instance (before 0.14.0) expose a feature that causes the server to fetch an attacker-supplied URL and that the attacker can control or influence DNS resolution for the supplied hostname so that it resolves to multiple addresses - a benign one first (to pass url_is_blacklisted) and a blocked/internal one that the HTTP client later uses. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are moderately concerning but not maximal. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker submits to an internet-exposed Stoatchat server a URL whose hostname they control via DNS, arranged so the first resolved record is a harmless public IP that passes url_is_blacklisted while a subsequent cached record points at 169.254.169.254 or an internal admin service. The server's HTTP client iterates the addresses and connects to the internal target, letting the attacker probe or read responses from services behind the firewall. …
Remediation Upgrade to Stoatchat v0.14.0 or later - Vendor-released patch: 0.14.0 (https://github.com/stoatchat/stoatchat/releases/tag/v0.14.0), which is the primary and recommended fix. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify all deployed Stoatchat instances and document their versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-63088 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy