Stoatchat Vulnerable to Unauthenticated Server-Side Request Forgery
A critical SSRF vulnerability in Stoatchat versions prior to 0.13.5 allows unauthenticated attackers to access internal network infrastructure.
Stoatchat versions before 0.13.5 are affected by a critical server-side request forgery (SSRF) vulnerability identified as CVE-2026-63306. The flaw exists within the /proxy and /embed endpoints, which fail to properly validate or filter URLs provided by users.
Because the application lacks DNS resolution filtering and private IP range validation, unauthenticated attackers can supply malicious URLs to enumerate internal services and fingerprint applications. This vulnerability may also allow attackers to reach instance metadata endpoints or leverage redirect chains to gain access to restricted internal infrastructure.
Users and administrators are advised to update to version 0.13.5 or later to mitigate this security risk.
Continue Reading
23andMe Settles Data Privacy Claims
A multi-state settlement highlights the massive fallout from a 2023 breach that exposed sensitive genetic data for millions of customers.
LegacyHive: A New Windows Zero-Day
A persistent security researcher has unveiled a local privilege escalation bug for Windows 11, raising questions about severity.
Critical SSRF Vulnerability Discovered in stoatchat Versions Below 0.13.5
A critical server-side request forgery vulnerability in stoatchat allows unauthenticated attackers to access internal network infrastructure.