Enviar #795416: devlikeapro WAHA 0.0.1 Server-Side Request Forgeryinformación

Títulodevlikeapro WAHA 0.0.1 Server-Side Request Forgery
DescripciónWAHA media conversion endpoints accept user-provided file URLs and fetch them server-side. The input URL flows from authenticated API requests into session.fetch(...), then to axios.get(url, ...) without destination controls (no private-range blocking, no allowlist). This creates an authenticated SSRF condition usable by any API key holder with session access.
Fuente⚠️ https://github.com/wing3e/public_exp/issues/36
Usuario
 BigW (UID 96422)
Sumisión2026-04-02 11:41 (hace 24 días)
Moderación2026-04-24 20:55 (22 days later)
EstadoAceptado
Entrada de VulDB359522 [devlikeapro WAHA hasta 2026.3.4 API Request media.controller.ts escalada de privilegios]
Puntos18

AnteriorVisión De ConjuntoPróximo

Interested in the pricing of exploits?

See the underground prices here!