PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-22662 f CVE debrief

CVE-2026-22662 details a blind server-side request forgery vulnerability in Prompts.chat prior to commit 1464475. The vulnerability allows authenticated users to perform server-side fetches of user-controlled inputImageUrl parameters. Attackers can exploit this vulnerability by sending POST requests to the /api/media-generate endpoint to probe internal networks, access internal services, and exfiltrate data through the upstream Wiro service without receiving direct response bodies. The vulnerability has a CVSS score of 5.3 and a severity of MEDIUM.

Vendor
f
Product
prompts.chat
CVSS
MEDIUM 5.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-03
Original CVE updated
2026-07-14
Advisory published
2026-04-03
Advisory updated
2026-07-14

Who should care

Users of Prompts.chat prior to commit 1464475 should be aware of this vulnerability and take steps to mitigate it. Authenticated users of the affected versions are at risk of being exploited. The vulnerability can be used to access internal services, probe internal networks, and exfiltrate data.

Technical summary

The vulnerability exists in the Wiro media generator of Prompts.chat prior to commit 1464475. An authenticated user can send a POST request to the /api/media-generate endpoint with a user-controlled inputImageUrl parameter, which can be used to probe internal networks, access internal services, and exfiltrate data through the upstream Wiro service without receiving direct response bodies. The vulnerability has a CVSS score of 5.3 and a severity of MEDIUM. The affected product deployments should be reviewed to determine the potential impact.

Defensive priority

Medium priority should be given to patching this vulnerability, as it allows for server-side request forgery and could be used to access internal services.

Recommended defensive actions

  • Apply the patch at commit 1464475
  • Review and update the inputImageUrl parameter validation
  • Monitor for suspicious activity on the /api/media-generate endpoint
  • Implement additional security measures to protect internal services
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-04-03T21:17:09.163Z and last modified on 2026-07-14T16:16:50.277Z. The NVD entry is currently Analyzed. The vulnerability details are based on the information available from the CVE record and NVD entry. However, the accuracy of this information is limited by the details provided in the source corpus. Further verification is recommended to confirm the affected scope and severity.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-04-03T21:17:09.163Z and has not been modified since then. The NVD entry is currently Analyzed.