CVE-2026-3681 MEDIUM

CVE-2026-3681: welovemedia FFmate webhook.go fireWebhook server-side request forgery

Vendor Welovemedia
Product FFmate
Weakness CWE-918 · SSRF
Published March 7, 2026
Last update March 11, 2026
View on NVD All CVEs

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

A weakness has been identified in welovemedia FFmate up to 2.0.15. This affects the function fireWebhook of the file /internal/service/webhook/webhook.go. Executing a manipulation can lead to server-side request forgery. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Key dates

02Disclosure timeline

March 7, 2026 CVE published
March 11, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-6625 moxi624 Mogu Blog v2 Picture Storage Service LocalFileServiceImpl.java LocalFileServiceImpl.uploadPictureByUrl server-side request forgery CVE-2026-26324 OpenClaw has a SSRF guard bypass via full-form IPv4-mapped IPv6 (loopback / metadata reachable) CVE-2024-56800 Firecrawl has SSRF Vulnerability via malicious scrape target CVE-2023-35896 IBM Content Navigator server-side request forgery CVE-2025-64709 Typebot May Expose AWS EKS Credentials via Server Side Request Forgery in Webhook Block