Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (VulnCheck) · only source for this CVE.
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
prompts.chat prior to commit 1464475 contains a blind server-side request forgery vulnerability in the Wiro media generator that allows authenticated users to perform server-side fetches of user-controlled inputImageUrl parameters. Attackers can exploit this vulnerability by sending POST requests to the /api/media-generate endpoint to probe internal networks, access internal services, and exfiltrate data through the upstream Wiro service without receiving direct response bodies.
AnalysisAI
Blind server-side request forgery in prompts.chat media generator allows authenticated users to manipulate the inputImageUrl parameter in /api/media-generate POST requests to perform arbitrary server-side HTTP fetches, enabling internal network reconnaissance, access to internal services, and potential data exfiltration through the upstream Wiro service without receiving direct response bodies. The vulnerability affects prompts.chat prior to commit 1464475 and requires valid user authentication; patch availability has been confirmed through vendor repository.
Technical ContextAI
The vulnerability resides in the Wiro media generator component of prompts.chat (CPE: cpe:2.3:a:f:prompts.chat:*:*:*:*:*:*:*:*), which processes user-supplied inputImageUrl parameters in media generation requests. The root cause is classified under CWE-918 (Server-Side Request Forgery), indicating that the application fails to validate or restrict the destination of server-initiated HTTP requests. The /api/media-generate endpoint performs server-side image fetching based on user-controlled input without implementing proper URL validation, hostname filtering, or network segmentation controls. The SSRF is classified as 'blind' because attackers do not receive direct response bodies from their requested resources, limiting direct data exfiltration to what can be inferred from response timing, status codes, or side-channel behaviors relayed through the Wiro service.
RemediationAI
Apply the vendor-released patch by updating prompts.chat to the version incorporating commit 1464475df2698fb7ccd0cdbc382b0750466f891d or later. Review the patch implementation in GitHub PR #1102 to understand the fix approach. As an interim workaround pending patch deployment, restrict network access from the prompts.chat application server to internal services and sensitive networks using firewall rules or network policies, implement strict URL validation and hostname allowlisting in the /api/media-generate endpoint to reject requests targeting private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8, ::1/128, fc00::/7) or internal DNS names, and monitor outbound HTTP requests from the application for suspicious patterns. Additional details and patching guidance are available from the VulnCheck advisory at https://www.vulncheck.com/advisories/prompts-chat-blind-ssrf-via-media-generate.
More in Prompts Chat
View allAuthorization bypass vulnerabilities in prompts.chat (pre-commit 7b81836) expose private prompt data to unauthenticated
Path traversal in prompts.chat skill file extraction allows unauthenticated remote attackers to write arbitrary files an
Identity confusion in prompts.chat (prior to commit 1464475) enables authenticated attackers to impersonate users and hi
Server-side request forgery (SSRF) in prompts.chat allows authenticated users to force the server to make arbitrary HTTP
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18823
GHSA-gv6r-fmg6-c7v4