CVE-2026-63088

Source
https://cve.org/CVERecord?id=CVE-2026-63088
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-63088.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-63088
Related
  • GHSA-4mcc-p83c-r77q
  • GHSA-xhww-5g9p-vvq5
Published
2026-07-16T16:40:56.120Z
Modified
2026-07-17T03:45:35.859208260Z
Severity
  • 7.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N CVSS Calculator
Summary
stoatchat < 0.14.0 SSRF via DNS-based IP Blocklist Bypass
Details

stoatchat before 0.14.0 contains a server-side request forgery (SSRF) vulnerability that allows unauthenticated network-accessible attackers to bypass the DNS-based IP blocklist by exploiting incomplete address validation in the urlisblacklisted function, which inspects only the first resolved address while the underlying HTTP client iterates all cached addresses.

Database specific
{
    "cwe_ids": [
        "CWE-918"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/63xxx/CVE-2026-63088.json",
    "cna_assigner": "VulnCheck"
}
References

Affected packages

Git / github.com/stoatchat/stoatchat

Affected ranges

Type
GIT
Repo
https://github.com/stoatchat/stoatchat
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.14.0"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

0.*
0.1.0
0.2.0
0.2.10
0.2.5
0.2.6
0.2.7
0.2.8
0.2.9
0.3.0
0.3.0-rc.0
0.3.1
0.3.2
0.3.3
0.3.3-alpha.0
0.3.3-alpha.1
0.3.3-alpha.2
0.3.3-alpha.3
0.3.3-alpha.4
0.3.3-alpha.5
0.3.3-alpha.6
0.3.3-alpha.7
0.4.0
0.4.1
0.5.0
0.5.3
0.5.3-1
0.5.3-2
0.5.3-3
0.5.3-4
0.5.3-5
0.5.3-5-patch.1
0.5.3-5-patch.2
0.5.3-5-patch.3
0.5.3-alpha.10
0.5.3-alpha.11
0.5.3-alpha.13
0.5.3-alpha.14
0.5.3-alpha.15
0.5.3-alpha.16
0.5.3-alpha.6
0.5.3-alpha.7
0.5.3-alpha.8
0.5.3-alpha.9
0.5.3-patch.1
0.5.3-patch.2
0.5.3-rc.1
0.5.3-rc.2
0.5.3-rc.3
0.5.3-rc.4
0.5.3-rc.5
0.5.4
0.5.5
Other
20220606-1
20220609-1
20220610-1
20220610-2
20220611-1
20220612-1
20220612-2
20220612-3
20220612-4
20220614-1
20220620-1
20220621-1
20220623-1
20220710-1
20220714-1
20220715-1
20220718-1
20220726-1
20220814-1
20220901-1
20220902-1
20220903-1
20220912-1
20220918-1
20220918-2
20221023-1
20221023-2
20221119-1
20230603-1
20230603-2
20230603-3
20230604-1
20230611-1
20230611-2
20230611-3
20230611-4
20230611-5
20230615-1
20230702-1
20230704-1
20230810-1
20230810-2
20230810-3
20230826-1
20230827-1-beta
20230827-2-beta
20230827-3-beta
20230903-1-beta
20230903-2-beta
20230905-1-beta
20231026-01
20231028-1
20231028-2
20240206-1
20240210-1
20240210-2
20240212-1
20240407-1
20240408-1
20240408-2
20240408-3
20240408-4
20240516-1
20240604-1
20240609-1
20240611-1
20240611-2
20240611-3
20240615-1
20240619-1
20240620-1
20240620-2
20240621-1
20240623-1
20240625-1
20240625-2
20240626-1
20240629-1
20240710-1
20240805-1
20240829-1
20240829-2
20240829-3
20240830-1
20240909-1
20240909-2
20240929-1
20240929-2
20240929-3
20241001-1
20241002-1
20241002-2
20241002-3
20241002-4
20241002-5
20241002-6
20241002-7
20241024-1
20241128-1
20241128-2
20241128-3
20241212-1
20241213-1
20241220-1
20241222-1
20241222-2
20241222-3
20241222-4
20241222-5
20241222-6
20241226-1
20241227-1
20241227-2
20250210-1
20250224-1
20250225-1
20250225-2
20250402-1
20250402-2
20250509-1
20250509-2
20250509-3
20250509-4
20250509-5
20250509-6
20250509-7
20250509-8
20250510-1
20250513-1
20250513-2
20250514-1
20250515-1
20250530-1
20250608-1
20250730-1
20250807-1
20250818-1
20250923-1
20250923-2
20250923-3
20250923-5
20250923-6
delete
v0.*
v0.10.0
v0.10.1
v0.10.2
v0.10.3
v0.11.0
v0.11.1
v0.11.2
v0.11.3
v0.11.4
v0.11.5
v0.12.0
v0.12.1
v0.13.0
v0.13.1
v0.13.2
v0.13.3
v0.13.4
v0.13.5
v0.13.6
v0.13.7
v0.8.8
v0.9.0
v0.9.1
v0.9.2
v0.9.3
v0.9.4

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-63088.json"