CVE-2026-28508

Idno <1.6.4 - SSRF

Title source: llm

Description

Idno is a social publishing platform. Prior to version 1.6.4, a logic error in the API authentication flow causes the CSRF protection on the URL unfurl service endpoint to be trivially bypassed by any unauthenticated remote attacker. Combined with the absence of a login requirement on the endpoint itself, this allows an attacker to force the server to make arbitrary outbound HTTP requests to any host, including internal network addresses and cloud instance metadata services, and retrieve the response content. This issue has been patched in version 1.6.4.

References (2)

[Release Notes] https://github.com/idno/idno/releases/tag/1.6.4

[Vendor Advisory] https://github.com/idno/idno/security/advisories/GHSA-fcrh-fqxh-6fx6

Scores

EPSS 0.0016

EPSS Percentile 37.3%

Classification

CWE

CWE-918

Status draft

Affected Products (1)

idno/known < 1.6.4Packagist

Timeline

Published Mar 06, 2026

Tracked Since Mar 06, 2026