cbcvebase.
CVE-2026-28508
published 2026-03-06

CVE-2026-28508: Idno is a social publishing platform. Prior to version 1.6.4, a logic error in the API authentication flow causes the CSRF protection on the URL unfurl service…

PriorityP261high8.6CVSS 3.1
AVNACLPRNUINSCCHINAN
EPSS
0.63%
45.5th percentile
Idno is a social publishing platform. Prior to version 1.6.4, a logic error in the API authentication flow causes the CSRF protection on the URL unfurl service endpoint to be trivially bypassed by any unauthenticated remote attacker. Combined with the absence of a login requirement on the endpoint itself, this allows an attacker to force the server to make arbitrary outbound HTTP requests to any host, including internal network addresses and cloud instance metadata services, and retrieve the response content. This issue has been patched in version 1.6.4.

Affected

3 ranges
VendorProductVersion rangeFixed in
idnoidno< 1.6.41.6.4
idnoknown>= 0 < 1.6.41.6.4
withknownknown< 1.6.41.6.4

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerable endpoint is the URL unfurl service. Monitor for unauthenticated HTTP requests targeting this endpoint, especially from external/unexpected sources.
  • Watch for outbound HTTP requests originating from the Idno/Known server to internal network addresses or cloud instance metadata service IPs (e.g., 169.254.169.254), which may indicate SSRF exploitation.
  • Affected package is idno/known (Composer). Audit installations for versions prior to 1.6.4.
  • ·The CSRF bypass is rooted in a logic error in the API authentication flow, not a missing token — standard CSRF token checks may appear present but are ineffective prior to the patch.
  • ·The endpoint requires no login, compounding the CSRF bypass — access controls at the authentication layer alone are insufficient to mitigate this vulnerability without the patch.
  • ·A public exploit exists for this CVE, raising the urgency of patching to version 1.6.4.

CVSS provenance

nvdv3.18.6HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
nvdv4.09.2CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.