Search criteria

4 vulnerabilities

CVE-2026-59234 (GCVE-0-2026-59234)

Vulnerability from cvelistv5 – Published: 2026-07-03 12:47 – Updated: 2026-07-03 12:47 X_Open Source
VLAI?
Title
Authorization Bypass Through User-Controlled Key in Prospero Flow CRM calendar event deletion
Summary
Authorization Bypass Through User-Controlled Key (CWE-639) in CalendarDeleteEventController (app/Http/Controllers/Calendar/CalendarDeleteEventController.php), exposed at GET /calendar/event/delete/{id}, in Prospero Flow CRM before 5.5.3 allows a remote, authenticated attacker to delete arbitrary calendar events belonging to other users by manipulating the {id} path parameter, because the delete handler resolves the record with Calendar::find($id)->delete() and performs no ownership check (no user_id/company_id scoping) before deletion. This results in unauthorized destruction of other users' calendar events across the platform.
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
Impacted products
Vendor Product Version
Roskus Prospero Flow CRM Affected: 1.0.0 , < 5.5.3 (semver)
    cpe:2.3:a:roskus:prospero_flow_crm:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Robert Mihaila Amirreza Fadaeizadeh Bidari Xoan M. Otero Jorge Secur0 CNA Gustavo Novaro
Show details on NVD website

{
  "containers": {
    "cna": {
      "affected": [
        {
          "collectionURL": "https://github.com/Roskus/prospero-flow-crm",
          "cpes": [
            "cpe:2.3:a:roskus:prospero_flow_crm:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "product": "Prospero Flow CRM",
          "programFiles": [
            "app/Http/Controllers/Calendar/CalendarDeleteEventController.php"
          ],
          "repo": "https://github.com/Roskus/prospero-flow-crm",
          "vendor": "Roskus",
          "versions": [
            {
              "lessThan": "5.5.3",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:roskus:prospero_flow_crm:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.5.3",
                  "versionStartIncluding": "1.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Robert Mihaila"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Amirreza Fadaeizadeh Bidari"
        },
        {
          "lang": "en",
          "type": "analyst",
          "value": "Xoan M. Otero Jorge"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Secur0 CNA"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Gustavo Novaro"
        }
      ],
      "datePublic": "2026-07-02T22:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eAuthorization Bypass Through User-Controlled Key (CWE-639) in CalendarDeleteEventController (app/Http/Controllers/Calendar/CalendarDeleteEventController.php), exposed at GET /calendar/event/delete/{id}, in Prospero Flow CRM before 5.5.3 allows a remote, authenticated attacker to delete arbitrary calendar events belonging to other users by manipulating the {id} path parameter, because the delete handler resolves the record with Calendar::find($id)-\u0026gt;delete() and performs no ownership check (no user_id/company_id scoping) before deletion. This results in unauthorized destruction of other users\u0027 calendar events across the platform.\u003c/p\u003e"
            }
          ],
          "value": "Authorization Bypass Through User-Controlled Key (CWE-639) in CalendarDeleteEventController (app/Http/Controllers/Calendar/CalendarDeleteEventController.php), exposed at GET /calendar/event/delete/{id}, in Prospero Flow CRM before 5.5.3 allows a remote, authenticated attacker to delete arbitrary calendar events belonging to other users by manipulating the {id} path parameter, because the delete handler resolves the record with Calendar::find($id)-\u003edelete() and performs no ownership check (no user_id/company_id scoping) before deletion. This results in unauthorized destruction of other users\u0027 calendar events across the platform."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-77",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-77 Manipulating User-Controlled Variables"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-03T12:47:38.445Z",
        "orgId": "4daa8cea-433a-44bd-9456-53b127fc289a",
        "shortName": "Secur0"
      },
      "references": [
        {
          "name": "Fix commit 8c26eed4 - add user_id ownership check before delete",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/Roskus/prospero-flow-crm/commit/8c26eed4d80544c30e55448e12a8e999af6d2b70"
        },
        {
          "name": "Release v5.5.3 (fixed version)",
          "tags": [
            "release-notes"
          ],
          "url": "https://github.com/Roskus/prospero-flow-crm/releases/tag/v5.5.3"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://secur0.com/en/cna/cve-list/cve-2026-59234-idor-in-prospero-flow-crm-allows-deletion-of-other-users-calendar-events"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Upgrade to version 5.5.3 or higher."
            }
          ],
          "value": "Upgrade to version 5.5.3 or higher."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "tags": [
        "x_open-source"
      ],
      "title": "Authorization Bypass Through User-Controlled Key in Prospero Flow CRM calendar event deletion",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "4daa8cea-433a-44bd-9456-53b127fc289a",
    "assignerShortName": "Secur0",
    "cveId": "CVE-2026-59234",
    "datePublished": "2026-07-03T12:47:38.445Z",
    "dateReserved": "2026-07-03T11:24:39.241Z",
    "dateUpdated": "2026-07-03T12:47:38.445Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-13164 (GCVE-0-2026-13164)

Vulnerability from cvelistv5 – Published: 2026-06-24 15:37 – Updated: 2026-06-24 16:43
VLAI?
Title
Unauthenticated self-registration in MailerUp allows access to stored email data
Summary
Missing Authentication for Critical Function (CWE-306) in the RegisterView (apps/accounts/views.py), exposed at POST /api/auth/register/, in MailerUp <1.0.1 allows a remote, unauthenticated attacker to self-register a working account on instances where registration is intended to be restricted, because the endpoint applies the AllowAny permission with no email verification, CAPTCHA, or administrator approval. Any account created this way can read all email stored by the instance, resulting in full disclosure of stored messages to an arbitrary unauthenticated attacker
CWE
  • CWE-306 - Missing authentication for critical function
Assigner
Impacted products
Vendor Product Version
Mailerup Mailerup Affected: 0 , < 1.0.1 (custom)
Create a notification for this product.
Credits
Dario Rivas Quero Cristian Fernandez Cornejo Mario Alvarez Fernandez Xoan M. Otero Jorge Secur0 CNA
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-13164",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-24T16:42:15.974524Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-24T16:43:56.757Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Mailerup",
          "repo": "https://github.com/Maalfer/mailerup",
          "vendor": "Mailerup",
          "versions": [
            {
              "lessThan": "1.0.1",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:mailerup:mailerup:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "1.0.1",
                  "versionStartIncluding": "0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Dario Rivas Quero"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Cristian Fernandez Cornejo"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Mario Alvarez Fernandez"
        },
        {
          "lang": "en",
          "type": "analyst",
          "value": "Xoan M. Otero Jorge"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Secur0 CNA"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Missing Authentication for Critical Function (CWE-306) in the \u003ccode\u003eRegisterView\u003c/code\u003e (\u003ccode\u003eapps/accounts/views.py\u003c/code\u003e), exposed at \u003ccode\u003ePOST /api/auth/register/\u003c/code\u003e, in MailerUp \u0026lt;1.0.1 allows a remote, unauthenticated attacker to self-register a working account on instances where registration is intended to be restricted, because the endpoint applies the \u003ccode\u003eAllowAny\u003c/code\u003e permission with no email verification, CAPTCHA, or administrator approval. Any account created this way can read all email stored by the instance, resulting in full disclosure of stored messages to an arbitrary unauthenticated attacker"
            }
          ],
          "value": "Missing Authentication for Critical Function (CWE-306) in the RegisterView (apps/accounts/views.py), exposed at POST /api/auth/register/, in MailerUp \u003c1.0.1 allows a remote, unauthenticated attacker to self-register a working account on instances where registration is intended to be restricted, because the endpoint applies the AllowAny permission with no email verification, CAPTCHA, or administrator approval. Any account created this way can read all email stored by the instance, resulting in full disclosure of stored messages to an arbitrary unauthenticated attacker"
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-306",
              "description": "CWE-306 Missing authentication for critical function",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-24T15:37:17.398Z",
        "orgId": "4daa8cea-433a-44bd-9456-53b127fc289a",
        "shortName": "Secur0"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/Maalfer/mailerup/commit/99eb6d4586134bf3f4422093fbf47d6794ef0ee5"
        },
        {
          "tags": [
            "technical-description",
            "related"
          ],
          "url": "https://secur0.com/en/cna/cve-list/cve-2026-13164-unauthenticated-self-registration-in-mailerup-allows-access-to-stored-email-data"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Upgrade to version greater or equal than 1.0.1"
            }
          ],
          "value": "Upgrade to version greater or equal than 1.0.1"
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "title": "Unauthenticated self-registration in MailerUp allows access to stored email data",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "4daa8cea-433a-44bd-9456-53b127fc289a",
    "assignerShortName": "Secur0",
    "cveId": "CVE-2026-13164",
    "datePublished": "2026-06-24T15:37:17.398Z",
    "dateReserved": "2026-06-24T12:50:14.906Z",
    "dateUpdated": "2026-06-24T16:43:56.757Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-13163 (GCVE-0-2026-13163)

Vulnerability from cvelistv5 – Published: 2026-06-24 12:49 – Updated: 2026-06-24 13:07
VLAI?
Title
Lack of input validation in Mailerup input parameter leads to Open Redirect
Summary
Open redirect vulnerability (CWE-601) in the _safe_redirect function of the click-tracking endpoint (/c/<token>/) in Mailerup <1.0.0 on all platforms allows remote unauthenticated attackers to redirect victims to arbitrary external sites and conduct phishing attacks via a crafted u query parameter, because the URL scheme is validated (blocking javascript: and data:) but the destination host is not restricted to an allowlist, and a signing.BadSignature exception is silently caught so a valid signed token is not required.
CWE
  • CWE-601 - URL redirection to untrusted site ('open redirect')
Assigner
Impacted products
Vendor Product Version
Mailerup Mailerup Affected: 0 , < 1.0.1 (custom)
Create a notification for this product.
Credits
Dario Rivas Quero from Secur0 security team Cristian Fernandez Cornejo from Secur0 security team Mario Alvarez Fernandez Xoan M. Otero Jorge Secur0 CNA
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-13163",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-24T13:06:55.947222Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-24T13:07:07.003Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Mailerup",
          "repo": "https://github.com/Maalfer/mailerup",
          "vendor": "Mailerup",
          "versions": [
            {
              "lessThan": "1.0.1",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:mailerup:mailerup:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "1.0.1",
                  "versionStartIncluding": "0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Dario Rivas Quero from Secur0 security team"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Cristian Fernandez Cornejo from Secur0 security team"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Mario Alvarez Fernandez"
        },
        {
          "lang": "en",
          "type": "analyst",
          "value": "Xoan M. Otero Jorge"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Secur0 CNA"
        }
      ],
      "datePublic": "2026-06-24T12:40:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Open redirect vulnerability (CWE-601) in the \u003ccode\u003e_safe_redirect\u003c/code\u003e function of the click-tracking endpoint (\u003ccode\u003e/c/\u0026lt;token\u0026gt;/\u003c/code\u003e) in \u003ccode\u003eMailerup \u0026lt;1.0.0\u003c/code\u003e\u0026nbsp;on all platforms allows remote unauthenticated attackers to redirect victims to arbitrary external sites and conduct phishing attacks via a crafted \u003ccode\u003eu\u003c/code\u003e\u0026nbsp;query parameter, because the URL scheme is validated (blocking \u003ccode\u003ejavascript:\u003c/code\u003e and \u003ccode\u003edata:\u003c/code\u003e) but the destination host is not restricted to an allowlist, and a \u003ccode\u003esigning.BadSignature\u003c/code\u003e exception is silently caught so a valid signed token is not required."
            }
          ],
          "value": "Open redirect vulnerability (CWE-601) in the _safe_redirect function of the click-tracking endpoint (/c/\u003ctoken\u003e/) in Mailerup \u003c1.0.0\u00a0on all platforms allows remote unauthenticated attackers to redirect victims to arbitrary external sites and conduct phishing attacks via a crafted u\u00a0query parameter, because the URL scheme is validated (blocking javascript: and data:) but the destination host is not restricted to an allowlist, and a signing.BadSignature exception is silently caught so a valid signed token is not required."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "LOW",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-601",
              "description": "CWE-601 URL redirection to untrusted site (\u0027open redirect\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-24T12:49:05.227Z",
        "orgId": "4daa8cea-433a-44bd-9456-53b127fc289a",
        "shortName": "Secur0"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/Maalfer/mailerup/commit/99eb6d4586134bf3f4422093fbf47d6794ef0ee5"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Upgrade to version 1.0.1 or higher."
            }
          ],
          "value": "Upgrade to version 1.0.1 or higher."
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "title": "Lack of input validation in Mailerup input parameter leads to Open Redirect",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "4daa8cea-433a-44bd-9456-53b127fc289a",
    "assignerShortName": "Secur0",
    "cveId": "CVE-2026-13163",
    "datePublished": "2026-06-24T12:49:05.227Z",
    "dateReserved": "2026-06-24T12:44:34.692Z",
    "dateUpdated": "2026-06-24T13:07:07.003Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-13150 (GCVE-0-2026-13150)

Vulnerability from cvelistv5 – Published: 2026-06-24 10:45 – Updated: 2026-06-24 11:57
VLAI?
Title
SSRF in Pentestify PDF generation endpoint via Host header
Summary
Server-Side Request Forgery (SSRF) (CWE-918) in the PDF generation endpoint GET /api/reports/{id}/pdf (backend/main.py) in ccyl13 Pentestify 1.0.0 and lower allows remote attackers to make the server issue requests to arbitrary internal or external URLs, including cloud metadata services, and return the rendered content in the resulting PDF via a crafted Host header, because the target URL is built from request.base_url without validation.
CWE
  • CWE-918 - Server-Side request forgery (SSRF)
Assigner
Impacted products
Vendor Product Version
Pentestify Pentestify Affected: 0 , < 1.1.0 (custom)
Create a notification for this product.
Credits
Dario Rivas Quero from Secur0 security team Cristian Fernandez Cornejo from Secur0 security team Mario Alvarez Fernandez Xoan M. Otero Jorge Secur0 CNA
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-13150",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-24T11:57:12.138307Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-24T11:57:56.451Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Pentestify",
          "repo": "https://github.com/ccyl13/Pentestify",
          "vendor": "Pentestify",
          "versions": [
            {
              "lessThan": "1.1.0",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:pentestify:pentestify:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "1.1.0",
                  "versionStartIncluding": "0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Dario Rivas Quero from Secur0 security team"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Cristian Fernandez Cornejo from Secur0 security team"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Mario Alvarez Fernandez"
        },
        {
          "lang": "en",
          "type": "analyst",
          "value": "Xoan M. Otero Jorge"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Secur0 CNA"
        }
      ],
      "datePublic": "2026-06-24T10:45:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Server-Side Request Forgery (SSRF) (CWE-918) in the PDF generation endpoint \u003ccode\u003eGET /api/reports/{id}/pdf\u003c/code\u003e (\u003ccode\u003ebackend/main.py\u003c/code\u003e) in ccyl13 Pentestify 1.0.0 and lower allows remote attackers to make the server issue requests to arbitrary internal or external URLs, including cloud metadata services, and return the rendered content in the resulting PDF via a crafted \u003ccode\u003eHost\u003c/code\u003e header, because the target URL is built from \u003ccode\u003erequest.base_url\u003c/code\u003e without validation."
            }
          ],
          "value": "Server-Side Request Forgery (SSRF) (CWE-918) in the PDF generation endpoint GET /api/reports/{id}/pdf (backend/main.py) in ccyl13 Pentestify 1.0.0 and lower allows remote attackers to make the server issue requests to arbitrary internal or external URLs, including cloud metadata services, and return the rendered content in the resulting PDF via a crafted Host header, because the target URL is built from request.base_url without validation."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-300",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-300 Port Scanning"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918 Server-Side request forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-24T10:45:17.553Z",
        "orgId": "4daa8cea-433a-44bd-9456-53b127fc289a",
        "shortName": "Secur0"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/ccyl13/Pentestify/commit/a058a22b42c6311895622645265df79a60265b1d"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Upgrade to version 1.1.0 or higher"
            }
          ],
          "value": "Upgrade to version 1.1.0 or higher"
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "title": "SSRF in Pentestify PDF generation endpoint via Host header",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "4daa8cea-433a-44bd-9456-53b127fc289a",
    "assignerShortName": "Secur0",
    "cveId": "CVE-2026-13150",
    "datePublished": "2026-06-24T10:45:17.553Z",
    "dateReserved": "2026-06-24T10:36:43.095Z",
    "dateUpdated": "2026-06-24T11:57:56.451Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}