Skip to main content

CoreWorxLab CAAL CVE-2026-8725

| EUVDEUVD-2026-30676 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-05-17 VulDB GHSA-988g-78qr-2cpm
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Severity Changed
May 17, 2026 - 02:22 NVD
HIGH MEDIUM
CVSS changed
May 17, 2026 - 02:22 NVD
7.3 (HIGH) 5.5 (MEDIUM)
Analysis Generated
May 17, 2026 - 01:42 vuln.today

DescriptionCVE.org

A weakness has been identified in CoreWorxLab CAAL up to 1.6.0. The affected element is an unknown function of the file src/caal/webhooks.py of the component test-hass Endpoint. This manipulation causes server-side request forgery. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Server-side request forgery in CoreWorxLab CAAL versions up to 1.6.0 enables unauthenticated remote attackers to make arbitrary HTTP requests from the server through the test-hass endpoint in webhooks.py. The vulnerability has publicly available exploit code and allows attackers to access internal resources, potentially leading to data exposure or further compromise of internal systems. EPSS data not available, not currently in CISA KEV despite public exploit availability.

Technical ContextAI

CoreWorxLab CAAL is affected by a server-side request forgery (SSRF) vulnerability classified as CWE-918. The vulnerability resides in the test-hass endpoint implemented in src/caal/webhooks.py. SSRF vulnerabilities occur when an application accepts user-supplied URLs and makes requests to those URLs without proper validation, allowing attackers to make the server perform requests to arbitrary destinations including internal networks and cloud metadata endpoints.

RemediationAI

No vendor-released patch identified at time of analysis. The vendor was contacted but did not respond to the vulnerability disclosure. Organizations should consider disabling or restricting access to the test-hass endpoint in src/caal/webhooks.py if this functionality is not required. Implement network segmentation to limit the CAAL server's ability to make requests to internal resources. Deploy a web application firewall (WAF) configured to detect and block SSRF patterns in requests to the affected endpoint. Monitor server logs for unusual outbound requests that may indicate exploitation attempts.

Share

CVE-2026-8725 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy