Skip to main content

Toonflow-app EUVDEUVD-2026-25767

| CVE-2026-7084 LOW
Server-Side Request Forgery (SSRF) (CWE-918)
2026-04-27 cna@vuldb.com
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Severity Changed
Apr 29, 2026 - 01:12 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:12 NVD
5.3 (MEDIUM) 2.1 (LOW)
Analysis Generated
Apr 27, 2026 - 04:31 vuln.today
EUVD ID Assigned
Apr 27, 2026 - 04:22 euvd
EUVD-2026-25767
Analysis Generated
Apr 27, 2026 - 04:22 vuln.today
CVE Published
Apr 27, 2026 - 04:16 nvd
LOW 2.1

DescriptionCVE.org

A vulnerability was found in HBAI-Ltd Toonflow-app up to 1.1.1. This affects the function fetch of the file src/routes/setting/vendorConfig/getCodeByLink.ts of the component getCodeByLink Endpoint. The manipulation of the argument Link results in server-side request forgery. The attack may be performed from remote. The exploit has been made public and could be used. There is ongoing doubt regarding the real existence of this vulnerability. The vendor explains in a reply to the issue report, that "[t]he /getCodeByLink interface is used to obtain TS code and run it locally. It is inherently a high-risk interface, and users must clearly understand the risks before requesting to use it."

AnalysisAI

Server-side request forgery in HBAI-Ltd Toonflow-app up to version 1.1.1 allows authenticated remote attackers to manipulate the Link parameter in the getCodeByLink endpoint, enabling arbitrary HTTP requests from the server. The vendor acknowledges the /getCodeByLink interface is inherently high-risk and designed to fetch and execute TypeScript code locally; public exploit code exists but vendor questions the practical exploitability of the reported vulnerability.

Technical ContextAI

The vulnerability exists in the getCodeByLink endpoint (src/routes/setting/vendorConfig/getCodeByLink.ts) which fetches TypeScript code for local execution. The SSRF weakness (CWE-918) arises from insufficient validation of the Link parameter passed to the fetch function, allowing attackers to redirect server-side HTTP requests to unintended destinations. This enables probing of internal services, exfiltration of credentials, or interaction with cloud metadata endpoints - classic SSRF attack patterns. The endpoint's design to retrieve and execute remote code amplifies the risk, as successful SSRF could be chained with code execution capabilities.

RemediationAI

Upgrade Toonflow-app to a patched version beyond 1.1.1 if available from the vendor. If no patch is released, implement strict input validation and allowlisting on the Link parameter to restrict fetch requests to approved internal domains and block access to cloud metadata endpoints (169.254.169.254, instance metadata services). Restrict access to the /getCodeByLink endpoint to trusted administrators only using network-level or application-level access controls. Consider disabling the /getCodeByLink endpoint entirely if TypeScript code execution is not required. Validate all fetched URLs against a whitelist before executing returned code. Monitor outbound HTTP/HTTPS requests from the application server to detect anomalous SSRF attempts. No vendor-released patch version has been independently confirmed; contact HBAI-Ltd for patch availability and timeline.

Share

EUVD-2026-25767 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy