Submit #799582: HBAI-Ltd Toonflow 1.1.1 Server-Side Request Forgeryinfo

TitleHBAI-Ltd Toonflow 1.1.1 Server-Side Request Forgery
DescriptionToonflow v1.1.1 contains a Server-Side Request Forgery (SSRF) vulnerability in the /api/setting/vendorConfig/getCodeByLink endpoint. The link parameter accepts arbitrary URLs without any validation on protocol, hostname, or IP address range. The server-side fetch() call retrieves the target URL and returns the complete response body to the requesting user (full-read SSRF).
Source⚠️ https://github.com/HBAI-Ltd/Toonflow-app/issues/95
User
 Yu Bao (UID 88956)
Submission04/08/2026 11:00 (3 months ago)
Moderation04/26/2026 10:16 (18 days later)
StatusAccepted
VulDB entry359659 [HBAI-Ltd Toonflow-app up to 1.1.1 getCodeByLink Endpoint getCodeByLink.ts fetch server-side request forgery]
Points19

Might our Artificial Intelligence support you?

Check our Alexa App!