CVE-2026-25883

Name of the Vulnerable Software and Affected Versions Vexa versions prior to 0.10.0-260419-1910

Description The webhook feature allows authenticated users to configure an arbitrary URL to receive HTTP POST requests upon meeting completion. Because the application does not validate the webhook URL, it enables Server-Side Request Forgery (SSRF), a flaw where the server is tricked into making requests to unintended locations. An authenticated attacker can target internal services such as Redis, databases, and admin panels, as well as localhost services and cloud metadata endpoints for AWS or GCP to steal credentials.

Recommendations Update to version 0.10.0-260419-1910.