CVE-2026-42261

{"id": "CVE-2026-42261", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.2, "exploitabilityScore": 2.8}]}, "published": "2026-05-08T04:16:20.107", "references": [{"url": "https://github.com/legeling/PromptHub/releases/tag/v0.5.4", "tags": ["Patch", "Product"], "source": "security-advisories@github.com"}, {"url": "https://github.com/legeling/PromptHub/security/advisories/GHSA-9fhh-fjfg-5mr6", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/legeling/PromptHub/security/advisories/GHSA-9fhh-fjfg-5mr6", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-693"}, {"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "PromptHub is an all-in-one AI toolbox for prompt, skill, and agent management. From version 0.4.9 to before version 0.5.4, apps/web/src/routes/skills.ts exposes an authenticated endpoint POST /api/skills/fetch-remote that fetches a user-supplied URL server-side and reflects the response body (up to 5 MB) back to the caller. The SSRF protection in apps/web/src/utils/remote-http.ts (isPrivateIPv6) attempts to block private/loopback destinations, but multiple alternate-but-valid IPv6 representations bypass the check. The bypasses reach any IPv4 address (loopback, RFC1918, link-local) via IPv4-mapped IPv6 in hex form, and the canonical ::1 via any representation that isn't the literal string \"::1\". Any authenticated user (role: user or admin) can trigger the SSRF. On deployments configured with ALLOW_REGISTRATION=true \u2014 a supported and documented configuration \u2014 this means any internet user who can register. This issue has been patched in version 0.5.4."}], "lastModified": "2026-05-12T14:06:59.550", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:legeling:prompthub:*:*:*:*:-:*:*:*", "vulnerable": true, "matchCriteriaId": "70AA7323-FB30-4401-9F87-B09372E70663", "versionEndExcluding": "0.5.4", "versionStartIncluding": "0.4.9"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}