CVE-2026-1884

Name of the Vulnerable Software and Affected Versions ZenTao versions through 21.7.6-85642

Description A server-side request forgery condition exists in ZenTao. The issue is located in the fetchHook function within the module/webhook/model.php file of the Webhook Module component. This manipulation can be initiated remotely and the exploit is publicly available. The vendor was contacted regarding this disclosure but did not respond.

Recommendations Versions prior to 21.7.6-85642 should be used. As a temporary workaround, consider restricting access to the module/webhook/model.php file until a patch is available.