Which versions of go-fastdfs-web are affected by EUVD-2026-34972?

perfree go-fastdfs-web versions through 1.3.7 contain an unauthenticated server-side request forgery vulnerability in the installation endpoint that allows attackers to probe internal networks and…

Is there a public PoC exploit available for EUVD-2026-34972?

Yes, a public proof-of-concept exploit is available for EUVD-2026-34972. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate EUVD-2026-34972?

WITHIN 24 HOURS: Inventory go-fastdfs-web deployments (specifically versions 1.3.7 and earlier); restrict network access to the /install/checkServer endpoint via firewall; deploy Web Application Firewall rules to block SSRF payloads targeting internal networks. WITHIN 7 DAYS: Contact vendor to confirm patch availability status; evaluate migration to alternative file storage solutions with documented patch support. WITHIN 30 DAYS: Execute migration to patched alternative software or implement network isolation with egress controls blocking connections to private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and cloud metadata services (169.254.169.254), with continuous egress monitoring.

go-fastdfs-web EUVD-2026-34972

Q: What is the CVSS score of EUVD-2026-34972?

EUVD-2026-34972 has a CVSS 4.0 base score of 5.5 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

| CVE-2026-11437 MEDIUM

Server-Side Request Forgery (SSRF) (CWE-918)

2026-06-06 VulDB

GHSA-6g49-gvr8-2cj2

SSRF Go Fastdfs Web

5.5

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

5.5 MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Severity Changed

Jun 06, 2026 - 17:22 NVD

HIGH MEDIUM

CVSS changed

Jun 06, 2026 - 17:22 NVD

7.3 (HIGH) 5.5 (MEDIUM)

Analysis Generated

Jun 06, 2026 - 17:15 vuln.today

DescriptionCVE.org

A flaw has been found in perfree go-fastdfs-web up to 1.3.7. Affected is the function checkServer of the file /install/checkServer of the component Installation Endpoint. Executing a manipulation can lead to server-side request forgery. The attack can be executed remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Server-side request forgery in perfree go-fastdfs-web versions up to 1.3.7 allows remote unauthenticated attackers to coerce the application into issuing arbitrary outbound HTTP requests via the checkServer function exposed at the /install/checkServer installation endpoint. Publicly available exploit code exists per VulDB, and the vendor did not respond to disclosure, leaving deployments without a confirmed fix. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Identify exposed go-fastdfs-web installer

Delivery

Send crafted /install/checkServer request

Exploit

Application performs outbound HTTP to attacker-chosen URL

Execution

Receive internal response or metadata

Persist

Harvest cloud credentials or map internal services

Impact

Pivot using stolen tokens