All intelligence
// vulnerability record
cached · NVD via COSMOS syncCVE-2026-59095
HIGHpublished 2026-07-02 20:17 UTC · 2 days ago
8.3
CVSS / 10
// description
LobeChat before 2.2.10-canary.18 contains a server-side request forgery vulnerability that allows authenticated attackers to direct internal HTTP requests to arbitrary URLs by supplying user-controlled input to the skill import service (importFromUrl) and topic cover update (fetchImageFromUrl) endpoints, which use the global fetch without the project's ssrf-safe-fetch wrapper. Attackers can target internal addresses such as cloud instance metadata endpoints through these unprotected code paths to disclose internal service responses and cloud credentials.
// weaknesses (CWE)
- CWE-918