PT-2026-6071 · Zentao+1 · Zentao+1
Ez-Lbz
·
Published
2026-02-04
·
Updated
2026-02-04
·
CVE-2026-1884
CVSS v3.1
4.9
Medium
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
ZenTao versions through 21.7.6-85642
Description
A server-side request forgery condition exists in ZenTao. The issue is located in the
fetchHook function within the module/webhook/model.php file of the Webhook Module component. This manipulation can be initiated remotely and the exploit is publicly available. The vendor was contacted regarding this disclosure but did not respond.Recommendations
Versions prior to 21.7.6-85642 should be used. As a temporary workaround, consider restricting access to the
module/webhook/model.php file until a patch is available.Exploit
Fix
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Webhook Module
Zentao