CVE-2026-8725

Summary

A weakness has been identified in CoreWorxLab CAAL up to 1.6.0. The affected element is an unknown function of the file src/caal/webhooks.py of the component test-hass Endpoint. This manipulation causes server-side request forgery. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Affected Software

VendorProductVersion RangeStatus
CoreWorxLabCAAL1.0affected
CoreWorxLabCAAL1.1affected
CoreWorxLabCAAL1.2affected
CoreWorxLabCAAL1.3affected
CoreWorxLabCAAL1.4affected
CoreWorxLabCAAL1.5affected
CoreWorxLabCAAL1.6.0affected

Weaknesses

  • CWE-918: Server-Side Request Forgery

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

References