CVE-2026-1884 MEDIUM

CVE-2026-1884: ZenTao Webhook model.php fetchHook server-side request forgery

Vendor N/A

Product ZenTao

Weakness CWE-918 · SSRF

Published February 4, 2026

Last update February 23, 2026

View on NVD All CVEs

CVSS base score

5.1/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

A weakness has been identified in ZenTao up to 21.7.6-85642. The impacted element is the function fetchHook of the file module/webhook/model.php of the component Webhook Module. This manipulation causes server-side request forgery. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Key dates

02Disclosure timeline

February 4, 2026 CVE published

February 23, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-1884

Related vulnerabilities

04Related CVE

CVE-2023-6805 RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator <= 4.4.7 - Authenticated(Contributor+) Blind Server-Side Request Forgery (SSRF) CVE-2023-22817 Server-side Request Forgery vulnerability in Western Digital My Cloud, My Cloud Home and SanDisk ibi products CVE-2024-0308 Inis Proxy.php server-side request forgery CVE-2024-38728 WordPress Seraphinite Post .DOCX Source plugin <= 2.16.9 - Server Side Request Forgery (SSRF) vulnerability CVE-2026-7146 AlejandroArciniegas mcp-data-vis HTTP Request server.js axios server-side request forgery