CVE-2026-9813
9.9 CRITICALFlowIntel up to version 3.3.0 contains a server-side request forgery (SSRF) vulnerability in the external reference URL probe functionali...
Published: 2026-05-28 · Last updated: 2026-06-04
Severity and scoring
- CVSS
- 9.9 CRITICAL
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
- CWE
- CWE-918
Affected products
| Vendor | Product |
|---|---|
| flowintel | flowintel |
Description
FlowIntel up to version 3.3.0 contains a server-side request forgery (SSRF) vulnerability in the external reference URL probe functionality in app/case/task.py. An attacker who can submit an external reference URL can cause the application server to issue an HTTP HEAD request to an attacker-specified destination. Due to insufficient validation of the URL scheme and resolved destination address, affected versions may allow requests to loopback, link-local, private, reserved, or other restricted network resources, potentially enabling interaction with internal services or cloud metadata endpoints from the server's network context.
Source: NVD
References
Related CVEs
Same CWE
- CVE-2026-50131 — Fedify is a TypeScript library for building federated server apps powered by ActivityPub (8.6 HIGH)
- CVE-2026-50127 — Weblate is a web based localization tool (5.9 MEDIUM)
- CVE-2026-46683 — Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page
- CVE-2026-20252 — In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.4.2604.3, 10.3.2512.1... (7.6 HIGH)
- CVE-2026-48858 — Server-Side Request Forgery (SSRF) vulnerability in Erlang/OTP ftp (ftp_internal module) allows FTP bounce attacks and SSRF via an unvali...