CVE-2026-6979 MEDIUM

CVE-2026-6979: devlikeapro WAHA API Request media.controller.ts server-side request forgery

Vendor Devlikeapro
Product WAHA
Weakness CWE-918 · SSRF
Published April 25, 2026
Last update April 27, 2026
View on NVD All CVEs

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

A flaw has been found in devlikeapro WAHA up to 2026.3.4. This affects an unknown function of the file src/api/media.controller.ts of the component API Request Handler. This manipulation causes server-side request forgery. The attack can be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Key dates

02Disclosure timeline

April 25, 2026 CVE published
April 27, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-33480 AVideo has a SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in Unauthenticated LiveLinks Proxy CVE-2024-29736 Apache CXF: SSRF vulnerability via WADL stylesheet parameter CVE-2026-6625 moxi624 Mogu Blog v2 Picture Storage Service LocalFileServiceImpl.java LocalFileServiceImpl.uploadPictureByUrl server-side request forgery CVE-2026-23845 Mailpit Vulnerable to Server-Side Request Forgery (SSRF) via HTML Check API CVE-2026-1356 Converter for Media – Optimize images | Convert WebP & AVIF <= 6.5.1 - Unauthenticated Server-Side Request Forgery via src