CVE-2026-3958

Summary

A vulnerability has been found in Woahai321 ListSync up to 0.6.6. This issue affects the function requests.post of the file list-sync-main/api_server.py of the component JSON Handler. The manipulation leads to server-side request forgery. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

Affected Software

VendorProductVersion RangeStatus
Woahai321ListSync0.6.0affected
Woahai321ListSync0.6.1affected
Woahai321ListSync0.6.2affected
Woahai321ListSync0.6.3affected
Woahai321ListSync0.6.4affected
Woahai321ListSync0.6.5affected
Woahai321ListSync0.6.6affected

Weaknesses

  • CWE-918: Server-Side Request Forgery

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References