CVE-2026-63088
Gravedad CVSS v4.0:
ALTA
Tipo:
CWE-918
Falsificación de solicitud en servidor (SSRF)
Fecha de publicación:
16/07/2026
Última modificación:
16/07/2026
Descripción
*** Pendiente de traducción *** stoatchat before 0.14.0 contains a server-side request forgery (SSRF) vulnerability that allows unauthenticated network-accessible attackers to bypass the DNS-based IP blocklist by exploiting incomplete address validation in the url_is_blacklisted function, which inspects only the first resolved address while the underlying HTTP client iterates all cached addresses.
Impacto
Puntuación base 4.0
7.70
Gravedad 4.0
ALTA
Puntuación base 3.x
8.60
Gravedad 3.x
ALTA
Referencias a soluciones, herramientas e información
- https://github.com/stoatchat/stoatchat/releases/tag/v0.14.0
- https://github.com/stoatchat/stoatchat/security/advisories/GHSA-4mcc-p83c-r77q
- https://github.com/stoatchat/stoatchat/security/advisories/GHSA-xhww-5g9p-vvq5
- https://www.vulncheck.com/advisories/stoatchat-ssrf-via-dns-based-ip-blocklist-bypass
- https://github.com/stoatchat/stoatchat/security/advisories/GHSA-4mcc-p83c-r77q



