Skip to main content

stoatchat EUVDEUVD-2026-44915

| CVE-2026-63306 CRITICAL
Server-Side Request Forgery (SSRF) (CWE-918)
2026-07-16 VulnCheck GHSA-j5jq-jcvc-gxxc
9.2
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
9.2 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.6 HIGH

Unauthenticated low-complexity network SSRF (PR:N/AC:L); scope changes as the server pivots to internal systems (S:C) with high confidentiality but no integrity or availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jul 16, 2026 - 14:03 EUVD
Analysis Generated
Jul 16, 2026 - 13:21 vuln.today
CVE Published
Jul 16, 2026 - 12:19 cve.org
CRITICAL 9.2

DescriptionCVE.org

stoatchat before 0.13.5 contains an unauthenticated server-side request forgery vulnerability in the /proxy and /embed endpoints that accept arbitrary URLs without DNS resolution filtering or private IP range validation. Attackers can enumerate internal services, fingerprint applications, and reach instance metadata endpoints by supplying malicious URLs or leveraging redirect chains to access internal infrastructure.

AnalysisAI

Server-side request forgery in stoatchat before 0.13.5 allows remote unauthenticated attackers to coerce the server into making arbitrary outbound requests through the /proxy and /embed endpoints, which accept attacker-supplied URLs without DNS resolution filtering or private-IP validation. Reported by VulnCheck and carrying a CVSS 4.0 score of 9.2, it lets attackers enumerate internal services, fingerprint applications, and reach cloud instance-metadata endpoints. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach stoatchat /proxy or /embed
Delivery
Supply internal or metadata URL
Exploit
Server fetches attacker-controlled target
Execution
Follow redirect into internal network
Persist
Read internal/metadata response
Impact
Enumerate services and harvest credentials

Vulnerability AssessmentAI

Exploitation Exploitation requires that the vulnerable /proxy or /embed endpoint be network-reachable by the attacker; these endpoints exist and are enabled in stoatchat versions before 0.13.5. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are internally consistent and point to a genuine high priority for anyone running stoatchat exposed to untrusted networks. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with only network access to a stoatchat instance sends a request to the /proxy or /embed endpoint containing a URL such as http://169.254.169.254/latest/meta-data/ or an internal host, or an attacker-controlled URL that redirects into the internal network. The server dutifully fetches the target and returns or reflects the response, letting the attacker map internal services and harvest cloud metadata/credentials. …
Remediation Vendor-released patch: upgrade to stoatchat 0.13.5 or later, which is the primary and recommended fix, per the GitHub advisory GHSA-xhww-5g9p-vvq5 (https://github.com/stoatchat/stoatchat/security/advisories/GHSA-xhww-5g9p-vvq5) and the VulnCheck advisory (https://www.vulncheck.com/advisories/stoatchat-before-unauthenticated-ssrf-via-proxy-and-embed-endpoints). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, immediately disable or restrict access to the /proxy and /embed endpoints, and implement egress filtering at the network perimeter to block unauthorized outbound requests. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-44915 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy