Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/70145?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/70145?format=api", "vulnerability_id": "VCID-5r6f-fuyu-4qee", "summary": "PromptHub is an all-in-one AI toolbox for prompt, skill, and agent management. From version 0.4.9 to before version 0.5.4, apps/web/src/routes/skills.ts exposes an authenticated endpoint POST /api/skills/fetch-remote that fetches a user-supplied URL server-side and reflects the response body (up to 5 MB) back to the caller. The SSRF protection in apps/web/src/utils/remote-http.ts (isPrivateIPv6) attempts to block private/loopback destinations, but multiple alternate-but-valid IPv6 representations bypass the check. The bypasses reach any IPv4 address (loopback, RFC1918, link-local) via IPv4-mapped IPv6 in hex form, and the canonical ::1 via any representation that isn't the literal string \"::1\". Any authenticated user (role: user or admin) can trigger the SSRF. On deployments configured with ALLOW_REGISTRATION=true — a supported and documented configuration — this means any internet user who can register. This issue has been patched in version 0.5.4.", "aliases": [ { "alias": "CVE-2026-42261" } ], "fixed_packages": [], "affected_packages": [], "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42261", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0009", "scoring_system": "epss", "scoring_elements": "0.25711", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.0009", "scoring_system": "epss", "scoring_elements": "0.25508", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.0009", "scoring_system": "epss", "scoring_elements": "0.25707", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.0009", "scoring_system": "epss", "scoring_elements": "0.25726", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42261" }, { "reference_url": "https://github.com/legeling/PromptHub/security/advisories/GHSA-9fhh-fjfg-5mr6", "reference_id": "GHSA-9fhh-fjfg-5mr6", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T18:10:25Z/" } ], "url": "https://github.com/legeling/PromptHub/security/advisories/GHSA-9fhh-fjfg-5mr6" }, { "reference_url": "https://github.com/legeling/PromptHub/releases/tag/v0.5.4", "reference_id": "v0.5.4", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T18:10:25Z/" } ], "url": "https://github.com/legeling/PromptHub/releases/tag/v0.5.4" } ], "weaknesses": [ { "cwe_id": 20, "name": "Improper Input Validation", "description": "The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly." }, { "cwe_id": 693, "name": "Protection Mechanism Failure", "description": "The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product." }, { "cwe_id": 918, "name": "Server-Side Request Forgery (SSRF)", "description": "The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination." } ], "exploits": [], "severity_range_score": "7.1 - 7.1", "exploitability": null, "weighted_severity": null, "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5r6f-fuyu-4qee" }