CVE-2026-42261

Name of the Vulnerable Software and Affected Versions PromptHub versions 0.4.9 through 0.5.3

Description An authenticated endpoint "/api/skills/fetch-remote" fetches a user-supplied URL server-side and reflects the response body back to the caller. The Server-Side Request Forgery (SSRF) protection in the isPrivateIPv6 function attempts to block private or loopback destinations, but it can be bypassed using alternate IPv6 representations. This allows access to any IPv4 address (including loopback, RFC1918, and link-local) via IPv4-mapped IPv6 in hex form, as well as the canonical ::1 address. Any authenticated user with a user or admin role can trigger this issue. In deployments where ALLOW REGISTRATION is set to true, any registered internet user can exploit this behavior.

Recommendations Update to version 0.5.4.