Skip to main content

Scalar Astro EUVDEUVD-2026-30948

| CVE-2026-30118 CRITICAL
Server-Side Request Forgery (SSRF) (CWE-918)
2026-05-19 mitre GHSA-46mr-vgx5-fc36
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
May 20, 2026 - 14:22 vuln.today
CVSS changed
May 20, 2026 - 14:22 NVD
9.8 (CRITICAL)
CVE Published
May 19, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

scalar/astro v0.1.13 was discovered to contain a Server-Side Request Forgery (SSRF) in the scalar_url query parameter of the Scalar Proxy endpoint. This vulnerability allows unauthenticated attackers to force the backend server to send HTTP requests to attacker-controlled URLs, leading to authentication cookies and headers exposure and possible privilege escalation.

AnalysisAI

Server-side request forgery in scalar/astro v0.1.13 allows remote unauthenticated attackers to coerce the backend into making HTTP requests to attacker-controlled destinations via the scalar_url query parameter of the Scalar Proxy endpoint. Exploitation can expose authentication cookies and headers forwarded by the proxy, enabling account takeover and potential privilege escalation. Publicly available exploit code exists, though EPSS is low (0.03%) suggesting limited mass exploitation at this time.

Technical ContextAI

Scalar is an open-source API documentation and reference platform; the affected component is the Astro integration (scalar/astro) at version 0.1.13, which ships a proxy endpoint that fetches arbitrary URLs supplied through the scalar_url query parameter. The flaw is a textbook CWE-918 (Server-Side Request Forgery): user input is used to construct an outbound HTTP request from the server without validating the destination host, scheme, or whether internal/loopback/metadata ranges are permitted. Because the proxy forwards request headers, any session cookies or authorization tokens attached to the proxy request can be leaked to the attacker-controlled destination. The CPE in NVD is the placeholder cpe:2.3:a:n/a:n/a, indicating that no canonical vendor/product CPE has yet been assigned for scalar/astro.

RemediationAI

No vendor-released patch identified at time of analysis - neither the NVD nor EUVD record cites a fixed version, and no vendor advisory is linked in the provided references, so administrators should monitor the scalar/astro repository for a release above 0.1.13 and upgrade as soon as one is published. Until a fix is available, restrict or disable the Scalar Proxy endpoint at the reverse proxy or web server (deny requests to the proxy route that handle scalar_url), or strip/validate the scalar_url query parameter with an egress allowlist that constrains it to known documentation hosts only; both of these break the legitimate proxy-driven API try-it functionality, so expect documentation 'Try it' features to fail until restored. As a defense-in-depth control, block outbound traffic from the application host to internal RFC1918 ranges and cloud metadata endpoints (169.254.169.254, fd00:ec2::254) so that even a successful SSRF cannot reach sensitive internal services, and rotate any session cookies or API tokens that may have been forwarded through the proxy. Authoritative tracking URL: https://nvd.nist.gov/vuln/detail/CVE-2026-30118.

More in N A

View all
CVE-2026-31072 CRITICAL POC
9.8 May 19

Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali

CVE-2026-36356 CRITICAL POC
9.1 May 05

Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST

CVE-2026-31071 CRITICAL POC
9.1 May 19

Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al

CVE-2025-66391 HIGH POC
8.8 Jun 17

In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o

CVE-2026-26740 HIGH POC
8.2 Mar 18

Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when

CVE-2025-60464 HIGH POC
7.8 Jun 25

Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_

CVE-2026-36355 HIGH POC
7.7 May 05

Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc

CVE-2025-60474 HIGH POC
7.5 Jun 24

Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s

CVE-2026-38639 HIGH POC
7.5 Jun 26

An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S

CVE-2026-38641 HIGH POC
7.5 Jun 26

Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge

CVE-2026-38637 HIGH POC
7.5 Jun 25

An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S

CVE-2026-38640 HIGH POC
7.5 Jun 25

Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce

Share

EUVD-2026-30948 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy