Skip to main content

Huly Platform EUVDEUVD-2026-19174

| CVE-2026-5623 LOW
Server-Side Request Forgery (SSRF) (CWE-918)
2026-04-06 VulDB GHSA-c8m8-4468-h6xx
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

5
Severity Changed
Apr 29, 2026 - 01:11 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:11 NVD
5.3 (MEDIUM) 2.1 (LOW)
EUVD ID Assigned
Apr 06, 2026 - 05:45 euvd
EUVD-2026-19174
Analysis Generated
Apr 06, 2026 - 05:45 vuln.today
CVE Published
Apr 06, 2026 - 04:45 nvd
MEDIUM 5.3

DescriptionCVE.org

A vulnerability was identified in hcengineering Huly Platform 0.7.382. This affects an unknown part of the file server/front/src/index.ts of the component Import Endpoint. Such manipulation leads to server-side request forgery. The attack can be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Server-side request forgery in hcengineering Huly Platform 0.7.382 allows authenticated remote attackers to make arbitrary HTTP requests from the affected server via manipulation of the Import Endpoint in server/front/src/index.ts, potentially enabling access to internal resources, metadata disclosure, or lateral movement within the infrastructure. Publicly available exploit code exists, and the vendor has not responded to disclosure attempts.

Technical ContextAI

The vulnerability is a server-side request forgery (SSRF) flaw classified under CWE-918, occurring in the Import Endpoint handler of the Huly Platform. The flaw exists in server/front/src/index.ts, where insufficient input validation or URL filtering allows an authenticated attacker to inject arbitrary URLs that the server will fetch on their behalf. This attack leverages the server's network position and credentials to access internal systems, cloud metadata endpoints (e.g., AWS IMDSv1), or services restricted to the server's network segment. The affected product is hcengineering Huly Platform, a collaborative work management platform, with the specific vulnerable version identified as 0.7.382.

RemediationAI

Upgrade hcengineering Huly Platform to a version newer than 0.7.382 as soon as one becomes available; however, no specific patched version has been confirmed as released at the time of analysis. No vendor-released patch identified at time of analysis. In the interim, implement network-level controls to restrict outbound HTTP/HTTPS requests from the Huly Platform server to only necessary external endpoints, and configure firewall rules to block or rate-limit requests to internal IP ranges (169.254.169.254 for metadata, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and localhost addresses. Additionally, apply principle-of-least-privilege to API tokens and service accounts used by the Import Endpoint to minimize lateral movement risk. For more details, consult the disclosure record at https://vuldb.com/vuln/355413.

Share

EUVD-2026-19174 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy