PT-2026-23892 · Bufanyun · Hotgo
Vuldb
·
Published
2026-03-07
·
Updated
2026-03-08
·
CVE-2026-3683
CVSS v2.0
6.5
Medium
| Vector | AV:N/AC:L/Au:S/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
bufanyun HotGo versions up to 2.0
Description
A server-side request forgery issue exists in the ImageTransferStorage function of the Endpoint component, located in the file
/server/internal/logic/common/upload.go. This manipulation can be initiated remotely. The exploit is publicly available. The vendor was notified but did not respond.Recommendations
Versions prior to 2.0 should be updated. As a temporary workaround, consider restricting access to the
ImageTransferStorage() function until a patch is available.Exploit
Fix
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Hotgo