CVE-2026-6979

Summary

A flaw has been found in devlikeapro WAHA up to 2026.3.4. This affects an unknown function of the file src/api/media.controller.ts of the component API Request Handler. This manipulation causes server-side request forgery. The attack can be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Affected Software

VendorProductVersion RangeStatus
devlikeaproWAHA2026.3.0affected
devlikeaproWAHA2026.3.1affected
devlikeaproWAHA2026.3.2affected
devlikeaproWAHA2026.3.3affected
devlikeaproWAHA2026.3.4affected

Weaknesses

  • CWE-918: Server-Side Request Forgery

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References