CVE-2026-3681

Summary

A weakness has been identified in welovemedia FFmate up to 2.0.15. This affects the function fireWebhook of the file /internal/service/webhook/webhook.go. Executing a manipulation can lead to server-side request forgery. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Affected Software

VendorProductVersion RangeStatus
welovemediaFFmate2.0.0affected
welovemediaFFmate2.0.1affected
welovemediaFFmate2.0.2affected
welovemediaFFmate2.0.3affected
welovemediaFFmate2.0.4affected
welovemediaFFmate2.0.5affected
welovemediaFFmate2.0.6affected
welovemediaFFmate2.0.7affected
welovemediaFFmate2.0.8affected
welovemediaFFmate2.0.9affected
welovemediaFFmate2.0.10affected
welovemediaFFmate2.0.11affected
welovemediaFFmate2.0.12affected
welovemediaFFmate2.0.13affected
welovemediaFFmate2.0.14affected
welovemediaFFmate2.0.15affected

Weaknesses

  • CWE-918: Server-Side Request Forgery

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References