5.3
CVE-2026-22662
- EPSS 0.2%
- Veröffentlicht 03.04.2026 20:27:03
- Zuletzt bearbeitet 13.04.2026 18:18:49
- Quelle disclosure@vulncheck.com
- CVE-Watchlists
- Unerledigt
Loginprompts.chat Blind SSRF via media-generate
prompts.chat prior to commit 1464475 contains a blind server-side request forgery vulnerability in the Wiro media generator that allows authenticated users to perform server-side fetches of user-controlled inputImageUrl parameters. Attackers can exploit this vulnerability by sending POST requests to the /api/media-generate endpoint to probe internal networks, access internal services, and exfiltrate data through the upstream Wiro service without receiving direct response bodies.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Fka ≫ Prompts.Chat Version < 2026-03-24
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.2% | 0.093 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| disclosure@vulncheck.com | 4.3 | 2.8 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
|
| disclosure@vulncheck.com | 5.3 | 0 | 0 |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
|
CWE-918 Server-Side Request Forgery (SSRF)
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
https://github.com/f/prompts.chat/pull/1102
https://github.com/f/prompts.chat/commit/1464475df2698fb7ccd0cdbc382b0750466f891d
https://www.vulncheck.com/advisories/prompts-chat-blind-ssrf-via-media-generate