CVE-2026-9813
published 2026-05-28CVE-2026-9813: FlowIntel up to version 3.3.0 contains a server-side request forgery (SSRF) vulnerability in the external reference URL probe functionality in…
PriorityP260critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EPSS
0.23%
13.9th percentile
FlowIntel up to version 3.3.0 contains a server-side request forgery (SSRF) vulnerability in the external reference URL probe functionality in app/case/task.py. An attacker who can submit an external reference URL can cause the application server to issue an HTTP HEAD request to an attacker-specified destination. Due to insufficient validation of the URL scheme and resolved destination address, affected versions may allow requests to loopback, link-local, private, reserved, or other restricted network resources, potentially enabling interaction with internal services or cloud metadata endpoints from the server's network context.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| flowintel | flowintel | < 3.3.0 | 3.3.0 |
CVSS provenance
nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
nvdv4.06.2MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:L/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:X/R:X/V:X/RE:L/U:Green
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
FlowIntel up to 3.2.x HEAD Request app/case/task.py server-side request forgery
vuldb·2026-06-07·CVSS 9.9
CVE-2026-9813 [CRITICAL] FlowIntel up to 3.2.x HEAD Request app/case/task.py server-side request forgery
A vulnerability categorized as critical has been discovered in FlowIntel up to 3.2.x. Affected by this issue is some unknown functionality of the file app/case/task.py of the component HEAD Request Handler. Such manipulation leads to server-side request forgery.
This vulnerability is uniquely identified as CVE-2026-9813. The attack can be launched remotely. No exploit exists.
It is advisable to upgrade the affected component.
GHSA
GHSA-58wp-jwch-fgj5: FlowIntel up to version 3
ghsa_unreviewed·2026-05-28
CVE-2026-9813 [MEDIUM] CWE-918 GHSA-58wp-jwch-fgj5: FlowIntel up to version 3
FlowIntel up to version 3.3.0 contains a server-side request forgery (SSRF) vulnerability in the external reference URL probe functionality in app/case/task.py. An attacker who can submit an external reference URL can cause the application server to issue an HTTP HEAD request to an attacker-specified destination. Due to insufficient validation of the URL scheme and resolved destination address, affected versions may allow requests to loopback, link-local, private, reserved, or other restricted network resources, potentially enabling interaction with internal services or cloud metadata endpoints from the server's network context.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-28
Published