Search criteria
1 vulnerability by devlikeapro
CVE-2026-6979 (GCVE-0-2026-6979)
Vulnerability from cvelistv5 – Published: 2026-04-25 12:00 – Updated: 2026-04-27 17:38
VLAI
Title
devlikeapro WAHA API Request media.controller.ts server-side request forgery
Summary
A flaw has been found in devlikeapro WAHA up to 2026.3.4. This affects an unknown function of the file src/api/media.controller.ts of the component API Request Handler. This manipulation causes server-side request forgery. The attack can be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/359522 | vdb-entry |
| https://vuldb.com/vuln/359522/cti | signaturepermissions-required |
| https://vuldb.com/submit/795416 | third-party-advisory |
| https://github.com/wing3e/public_exp/issues/36 | exploitissue-tracking |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| devlikeapro | WAHA |
Affected:
2026.3.0
Affected: 2026.3.1 Affected: 2026.3.2 Affected: 2026.3.3 Affected: 2026.3.4 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6979",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-27T17:37:56.565606Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T17:38:21.477Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"API Request Handler"
],
"product": "WAHA",
"vendor": "devlikeapro",
"versions": [
{
"status": "affected",
"version": "2026.3.0"
},
{
"status": "affected",
"version": "2026.3.1"
},
{
"status": "affected",
"version": "2026.3.2"
},
{
"status": "affected",
"version": "2026.3.3"
},
{
"status": "affected",
"version": "2026.3.4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "BigW (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw has been found in devlikeapro WAHA up to 2026.3.4. This affects an unknown function of the file src/api/media.controller.ts of the component API Request Handler. This manipulation causes server-side request forgery. The attack can be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "Server-Side Request Forgery",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-25T12:00:20.729Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-359522 | devlikeapro WAHA API Request media.controller.ts server-side request forgery",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/vuln/359522"
},
{
"name": "VDB-359522 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/359522/cti"
},
{
"name": "Submit #795416 | devlikeapro WAHA 0.0.1 Server-Side Request Forgery",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/795416"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/wing3e/public_exp/issues/36"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-24T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-04-24T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-04-24T21:00:24.000Z",
"value": "VulDB entry last update"
}
],
"title": "devlikeapro WAHA API Request media.controller.ts server-side request forgery"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-6979",
"datePublished": "2026-04-25T12:00:20.729Z",
"dateReserved": "2026-04-24T18:55:19.562Z",
"dateUpdated": "2026-04-27T17:38:21.477Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}