← العودة للجدول
CVE-2026-55177
CVE-2026-55177 — CloudTAK: Authenticated full-read SSRF in the /api/esri* routes — user-control
📅 2026-07-18
🟠 High 🔥 No GHSA Vulnerability Web

📋 الوصف الكامل

# Authenticated full-read SSRF in CloudTAK `/api/esri*` routes — user-controlled URL fetched with no IP-classification guard ## Summary Every route in the ESRI helper family (`api/routes/esri.ts`) takes a fully attacker-controlled URL from the request (`POST /api/esri` body `url`, and the `portal` / `server` / `layer` query parameters on the `GET /api/esri/*` routes) and passes it into `EsriBa

💻 الأنظمة المتأثرة

⚠️ نوع التهديد

Vulnerability

🔗 CVE ID

CVE-2026-55177

📡 المصدر

GHSA

✅ الحلول والتخفيف

Update to v13.7.0

🔗 المصدر الأصلي ← 📘 NVD ← ⚡ CISA KEV ← 🔍 Valters IT ←