{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6979", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-24T18:55:19.562Z", "datePublished": "2026-04-25T12:00:20.729Z", "dateUpdated": "2026-04-27T17:38:21.477Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-25T12:00:20.729Z"}, "title": "devlikeapro WAHA API Request media.controller.ts server-side request forgery", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-918", "lang": "en", "description": "Server-Side Request Forgery"}]}], "affected": [{"vendor": "devlikeapro", "product": "WAHA", "versions": [{"version": "2026.3.0", "status": "affected"}, {"version": "2026.3.1", "status": "affected"}, {"version": "2026.3.2", "status": "affected"}, {"version": "2026.3.3", "status": "affected"}, {"version": "2026.3.4", "status": "affected"}], "modules": ["API Request Handler"]}], "descriptions": [{"lang": "en", "value": "A flaw has been found in devlikeapro WAHA up to 2026.3.4. This affects an unknown function of the file src/api/media.controller.ts of the component API Request Handler. This manipulation causes server-side request forgery. The attack can be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-24T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-24T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-24T21:00:24.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "BigW (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/359522", "name": "VDB-359522 | devlikeapro WAHA API Request media.controller.ts server-side request forgery", "tags": ["vdb-entry"]}, {"url": "https://vuldb.com/vuln/359522/cti", "name": "VDB-359522 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/795416", "name": "Submit #795416 | devlikeapro WAHA 0.0.1 Server-Side Request Forgery", "tags": ["third-party-advisory"]}, {"url": "https://github.com/wing3e/public_exp/issues/36", "tags": ["exploit", "issue-tracking"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-27T17:37:56.565606Z", "id": "CVE-2026-6979", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T17:38:21.477Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6979", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-24T18:55:19.562Z", "datePublished": "2026-04-25T12:00:20.729Z", "dateUpdated": "2026-04-27T17:38:21.477Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-25T12:00:20.729Z"}, "title": "devlikeapro WAHA API Request media.controller.ts server-side request forgery", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-918", "lang": "en", "description": "Server-Side Request Forgery"}]}], "affected": [{"vendor": "devlikeapro", "product": "WAHA", "versions": [{"version": "2026.3.0", "status": "affected"}, {"version": "2026.3.1", "status": "affected"}, {"version": "2026.3.2", "status": "affected"}, {"version": "2026.3.3", "status": "affected"}, {"version": "2026.3.4", "status": "affected"}], "modules": ["API Request Handler"]}], "descriptions": [{"lang": "en", "value": "A flaw has been found in devlikeapro WAHA up to 2026.3.4. This affects an unknown function of the file src/api/media.controller.ts of the component API Request Handler. This manipulation causes server-side request forgery. The attack can be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-24T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-24T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-24T21:00:24.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "BigW (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/359522", "name": "VDB-359522 | devlikeapro WAHA API Request media.controller.ts server-side request forgery", "tags": ["vdb-entry"]}, {"url": "https://vuldb.com/vuln/359522/cti", "name": "VDB-359522 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/795416", "name": "Submit #795416 | devlikeapro WAHA 0.0.1 Server-Side Request Forgery", "tags": ["third-party-advisory"]}, {"url": "https://github.com/wing3e/public_exp/issues/36", "tags": ["exploit", "issue-tracking"]}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-6979", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-27T17:37:56.565606Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T17:38:05.163Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw has been found in devlikeapro WAHA up to 2026.3.4. This affects an unknown function of the file src/api/media.controller.ts of the component API Request Handler. This manipulation causes server-side request forgery. The attack can be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "id": "CVE-2026-6979", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.1, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-25T12:15:59.423", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/wing3e/public_exp/issues/36"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/795416"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/359522"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/359522/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2026.3.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2026.3.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2026.3.2"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2026.3.3"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2026.3.4"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "WAHA", "source": "cna", "vendor": "devlikeapro"}, "product": "waha", "vendor": "devlikeapro"}], "analysis": {"en": {"generated_at": "2026-04-28T05:36:06.283106+00:00", "value": {"mitigation_remediation": ["Apply any vendor\u2011released update for WAHA beyond 2026.3.4 once available.", "Restrict outgoing network traffic from the WAHA server to only approved destinations using firewall rules or access control lists.", "Implement input validation on the API endpoint to accept only whitelisted URLs and reject or sanitize arbitrary addresses.", "Continuously monitor web server and application logs for suspicious outbound requests and respond to anomalies."], "summary": {"action": "Patch", "impact": "Server\u2011side request forgery"}, "threat_synthesis": {"affected_systems": "The affected product is devlikeapro WAHA, for all releases up to and including version 2026.3.4. No other versions are mentioned, and the vendor has not provided a detailed list of affected builds.", "description_and_impact": "A flaw exists in the media.controller.ts file of the devlikeapro WAHA API Request Handler that allows an attacker to manipulate incoming requests so the server sends HTTP requests to arbitrary URLs. This server\u2011side request forgery (SSRF) can expose internal resources, enable credential theft, or facilitate further exploitation. The vulnerability is listed as CWE\u2011918 and is noted to be exploitable from a remote location.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate overall risk. The EPSS score is listed as less than 1\u00a0%, suggesting a very low probability of real\u2011world exploitation at the time of this analysis, and the vulnerability is not yet listed in the CISA KEV catalog. However, an exploit has been published and can be triggered remotely, making the risk higher than the low EPSS alone might imply. Without an official vendor patch, the vulnerability remains open for exploitation until a fix is deployed or mitigations are applied."}}}}, "created": "2026-04-27T19:52:49.299565+00:00", "updated": "2026-04-28T05:45:23.292743+00:00", "vendors": ["devlikeapro", "devlikeapro$PRODUCT$waha"]}