CVE-2026-41644 HIGH

CVE-2026-41644: monetr is vulnerable to server-side request forgery in Lunch Flow link creation and refresh

Vendor Monetr
Product monetr
Weakness CWE-209 · Error message info leak
Published May 7, 2026
Last update May 7, 2026

CVSS base score

8.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:H/SI:N/SA:N

What the vulnerability does

01Description

monetr is a budgeting application for recurring expenses. Prior to version 1.12.5, a server-side request forgery (SSRF) vulnerability in monetr's Lunch Flow integration allowed any authenticated user on a self-hosted instance to cause the monetr server to issue HTTP GET requests to arbitrary URLs supplied by the caller, with the response body from non-200 upstream responses reflected back in the API error message. This issue has been patched in version 1.12.5.

Key dates

02Disclosure timeline

May 7, 2026 CVE published
May 7, 2026 Record updated