Advertisement
Security

Critical SSRF Vulnerability Discovered in stoatchat Versions Below 0.13.5

A critical server-side request forgery vulnerability in stoatchat allows unauthenticated attackers to access internal network infrastructure.

··1 hour ago·1 min read
a close up of a network with wires connected to it
Photo by Albert Stoynov on Unsplash
Advertisement

A critical security vulnerability, tracked as CVE-2026-63306, has been identified in stoatchat versions prior to 0.13.5. The flaw exists within the /proxy and /embed endpoints, which fail to implement proper DNS resolution filtering or private IP range validation when processing user-supplied URLs.

This server-side request forgery vulnerability allows unauthenticated attackers to supply malicious URLs to the affected endpoints. By leveraging this flaw, unauthorized actors can enumerate internal services, fingerprint applications, and reach sensitive instance metadata endpoints, potentially exposing internal infrastructure.

With a CVSS score of 8.6, this vulnerability is classified as critical. Users are advised to update to version 0.13.5 or later to mitigate the risk of unauthorized access to internal systems.

#vulnerability#ssrf#stoatchat#cve-2026-63306

Xploitwire Editorial Team

Xploitwire Newsroom

This article was researched and drafted with AI assistance and reviewed by our editorial team before publication. About Xploitwire →

← Back to all stories
Advertisement