Critical SSRF Vulnerability Discovered in stoatchat Versions Below 0.13.5
A critical server-side request forgery vulnerability in stoatchat allows unauthenticated attackers to access internal network infrastructure.
A critical security vulnerability, tracked as CVE-2026-63306, has been identified in stoatchat versions prior to 0.13.5. The flaw exists within the /proxy and /embed endpoints, which fail to implement proper DNS resolution filtering or private IP range validation when processing user-supplied URLs.
This server-side request forgery vulnerability allows unauthenticated attackers to supply malicious URLs to the affected endpoints. By leveraging this flaw, unauthorized actors can enumerate internal services, fingerprint applications, and reach sensitive instance metadata endpoints, potentially exposing internal infrastructure.
With a CVSS score of 8.6, this vulnerability is classified as critical. Users are advised to update to version 0.13.5 or later to mitigate the risk of unauthorized access to internal systems.
Continue Reading
23andMe Settles Data Privacy Claims
A multi-state settlement highlights the massive fallout from a 2023 breach that exposed sensitive genetic data for millions of customers.
LegacyHive: A New Windows Zero-Day
A persistent security researcher has unveiled a local privilege escalation bug for Windows 11, raising questions about severity.
CISA Adds Actively Exploited Fortinet FortiSandbox Flaw to KEV Catalog
CISA has confirmed active exploitation of an OS command injection vulnerability in Fortinet FortiSandbox, mandating urgent remediation for federal agencies.