CVE-2026-6979

MEDIUM

devlikeapro WAHA API Request media.controller.ts server-side request forgery

Title source: cna

Description

A flaw has been found in devlikeapro WAHA up to 2026.3.4. This affects an unknown function of the file src/api/media.controller.ts of the component API Request Handler. This manipulation causes server-side request forgery. The attack can be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

References (4)

[Signature, Permissions Required] https://vuldb.com/vuln/359522/cti

[Third Party Advisory] https://vuldb.com/submit/795416

[Exploit] https://github.com/wing3e/public_exp/issues/36

[Vdb Entry] https://vuldb.com/vuln/359522

Scores

CVSS v3 6.3

EPSS 0.0003

EPSS Percentile 9.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-918

Status published

Products (5)

devlikeapro/WAHA 2026.3.0

devlikeapro/WAHA 2026.3.1

devlikeapro/WAHA 2026.3.2

devlikeapro/WAHA 2026.3.3

devlikeapro/WAHA 2026.3.4

Published Apr 25, 2026

Tracked Since Apr 25, 2026