CVE-2026-7084

Name of the Vulnerable Software and Affected Versions HBAI-Ltd Toonflow-app versions prior to 1.1.2

Description A remote server-side request forgery (SSRF) exists in the 'getCodeByLink' endpoint. The issue occurs within the fetch() function located in the src/routes/setting/vendorConfig/getCodeByLink.ts file, where manipulation of the Link argument allows for the attack. The vendor has stated that the '/getCodeByLink' interface is designed to obtain TS code for local execution and is inherently high-risk.

Recommendations As a temporary workaround, restrict access to the '/getCodeByLink' interface to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.