CVE-2026-4528

HIGH

trueleaf ApiFlow URL Validation http_proxy.service.ts validateUrlSecurity server-side request forgery

Title source: cna
STIX 2.1

Description

A vulnerability was determined in trueleaf ApiFlow 0.9.7. The impacted element is the function validateUrlSecurity of the file packages/server/src/service/proxy/http_proxy.service.ts of the component URL Validation Handler. This manipulation causes server-side request forgery. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.

References (4)

Scores

CVSS v3 7.3
EPSS 0.0005
EPSS Percentile 16.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-918
Status published
Products (1)
trueleaf/ApiFlow 0.9.7
Published Mar 21, 2026
Tracked Since Mar 22, 2026