CVE-2026-63306 PUBLISHED

stoatchat before 0.13.5 Unauthenticated SSRF via proxy and embed endpoints

Assigner: VulnCheck
Reserved: 16.07.2026 Published: 16.07.2026 Updated: 16.07.2026

stoatchat before 0.13.5 contains an unauthenticated server-side request forgery vulnerability in the /proxy and /embed endpoints that accept arbitrary URLs without DNS resolution filtering or private IP range validation. Attackers can enumerate internal services, fingerprint applications, and reach instance metadata endpoints by supplying malicious URLs or leveraging redirect chains to access internal infrastructure.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
CVSS Score: 9.2

Product Status

Vendor stoatchat
Product stoatchat
Versions Default: unaffected
  • affected from 0 to 0.13.5 (excl.)
  • Version 0.13.5 is unaffected

Credits

  • AzureADTrent reporter

References

Problem Types

  • Server-Side Request Forgery (SSRF) CWE