Submit #768070: Woahai321 list-sync <=0.6.6 SSRFinfo

TitleWoahai321 list-sync <=0.6.6 SSRF
DescriptionThe POST /api/notifications/test endpoint accepts a user-supplied webhook_url in the request body and passes it directly to requests.post() (or DiscordWebhook) without any URL validation or allowlist check. An attacker sends a crafted JSON payload with webhook_url pointing to an attacker-controlled server. The application issues an outbound HTTP request to that URL, confirmed by DNS callback hits from the server's IP. This SSRF can be used for internal network scanning, cloud metadata exfiltration (e.g. AWS IMDSv1), or port probing.
Source⚠️ https://github.com/Woahai321/list-sync/issues/79
User
 ZAST.AI (UID 87884)
Submission02/26/2026 09:05 (3 months ago)
Moderation03/11/2026 13:36 (13 days later)
StatusAccepted
VulDB entry350388 [Woahai321 ListSync up to 0.6.6 JSON api_server.py requests.post server-side request forgery]
Points20

PreviousOverviewNext

Do you need the next level of professionalism?

Upgrade your account now!