CVE-2026-25883

EPSS 0.2%
Veröffentlicht 20.04.2026 16:04:36
Zuletzt bearbeitet 23.04.2026 14:10:58
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Vexa Webhook Feature has a SSRF Vulnerability

Vexa is an open-source, self-hostable meeting bot API and meeting transcription API. Prior to 0.10.0-260419-1910, the Vexa webhook feature allows authenticated users to configure an arbitrary URL that receives HTTP POST requests when meetings complete. The application performs no validation on the webhook URL, enabling Server-Side Request Forgery (SSRF). An authenticated attacker can set their webhook URL to target internal services (Redis, databases, admin panels), cloud metadata endpoints (AWS/GCP credential theft), and/or localhost services. Version 0.10.0-260419-1910 patches the issue.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Vexa ≫ Vexa Version <= 0.10

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.2%	0.102

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	5.8	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

https://github.com/Vexa-ai/vexa/security/advisories/GHSA-fhr6-8hff-cvg4

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-25883

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-25883

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-25883

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-25883