Skip to main content

Kargo Takip

2 CVEs product

Monthly

CVE-2026-12095 HIGH This Week

Server-side request forgery in the Kargo Takip WordPress plugin (versions through 1.2) allows unauthenticated remote attackers to coerce the site into issuing arbitrary HTTP requests via the 'api_url' parameter and to exfiltrate data from internal services. Because the plugin echoes the value of any 'auth' key from the JSON response back to the attacker, it enables direct retrieval of sensitive responses such as cloud instance metadata credentials. No public exploit identified at time of analysis, and the plugin is not listed in CISA KEV.

WordPress SSRF Kargo Takip
NVD
CVSS 3.1
7.2
EPSS
0.3%
CVE-2026-25365 MEDIUM PATCH This Month

Kargo Takip versions prior to 0.2.4 contain a missing authorization vulnerability that allows authenticated users to modify data or perform unauthorized actions due to improper access control enforcement. An attacker with valid credentials could exploit this weakness to manipulate shipment tracking information or other protected resources without proper privilege verification. No patch is currently available for this vulnerability.

Authentication Bypass Kargo Takip
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
EPSS 0% CVSS 7.2
HIGH This Week

Server-side request forgery in the Kargo Takip WordPress plugin (versions through 1.2) allows unauthenticated remote attackers to coerce the site into issuing arbitrary HTTP requests via the 'api_url' parameter and to exfiltrate data from internal services. Because the plugin echoes the value of any 'auth' key from the JSON response back to the attacker, it enables direct retrieval of sensitive responses such as cloud instance metadata credentials. No public exploit identified at time of analysis, and the plugin is not listed in CISA KEV.

WordPress SSRF Kargo Takip
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Kargo Takip versions prior to 0.2.4 contain a missing authorization vulnerability that allows authenticated users to modify data or perform unauthorized actions due to improper access control enforcement. An attacker with valid credentials could exploit this weakness to manipulate shipment tracking information or other protected resources without proper privilege verification. No patch is currently available for this vulnerability.

Authentication Bypass Kargo Takip
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy