CVE-2026-26957

MEDIUM

Libredesk <1.0.2-0.20260215211005-727213631ce6 - SSRF

Title source: llm

Description

Libredesk is a self-hosted customer support desk application. Versions prior to 1.0.2-0.20260215211005-727213631ce6 fail to validate destination URLs for webhooks, allowing an attacker posing as an authenticated "Application Admin" to force the server to make HTTP requests to arbitrary internal destinations. This could compromise the underlying cloud infrastructure or internal corporate network where the service is hosted. This issue has been fixed in version 1.0.2-0.20260215211005-727213631ce6.

References (2)

[Vendor Advisory] https://github.com/abhinavxd/libredesk/security/advisories/GHSA-wgm6-9rvv-3438

[Patch] https://github.com/abhinavxd/libredesk/commit/727213631ce6a36bcb06f50ce542155e78f51316

View Patch ZIP pw:eip

Scores

CVSS v4 6.9

EPSS 0.0006

EPSS Percentile 18.9%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-209 CWE-918

Status published

Products (2)

abhinavxd/github.com/abhinavxd/libredesk < 1.0.2-0.20260215211005-727213631ce6

abhinavxd/libredesk 0 - 1.0.2-0.20260215211005-727213631ce6Go

Published Feb 20, 2026

Tracked Since Feb 20, 2026