Submit #742633: Zentao PMS <=21.7.6-85642 SSRFinfo

TitleZentao PMS <=21.7.6-85642 SSRF
DescriptionA Server-Side Request Forgery (SSRF) vulnerability exists in the Webhook module of ZenTao CMS that allows authenticated administrators to read arbitrary files from the server's local filesystem. The vulnerability stems from insufficient URL validation when configuring webhook URLs, specifically the lack of protocol filtering for the file:// scheme. Additionally, the response from file protocol requests is stored and displayed in the webhook logs, enabling attackers to retrieve sensitive file contents.
Source⚠️ https://github.com/ez-lbz/ez-lbz.github.io/issues/9
User
 ez-lbz (UID 87033)
Submission01/20/2026 10:29 (5 months ago)
Moderation02/04/2026 15:17 (15 days later)
StatusAccepted
VulDB entry344264 [ZenTao up to 21.7.6-85642 Webhook module/webhook/model.php fetchHook server-side request forgery]
Points20

PreviousOverviewNext

Do you want to use VulDB in your project?

Use the official API to access entries easily!