PatchSiren cyber security CVE debrief
CVE-2026-22662 f CVE debrief
CVE-2026-22662 details a blind server-side request forgery vulnerability in Prompts.chat prior to commit 1464475. The vulnerability allows authenticated users to perform server-side fetches of user-controlled inputImageUrl parameters. Attackers can exploit this vulnerability by sending POST requests to the /api/media-generate endpoint to probe internal networks, access internal services, and exfiltrate data through the upstream Wiro service without receiving direct response bodies. The vulnerability has a CVSS score of 5.3 and a severity of MEDIUM.
- Vendor
- f
- Product
- prompts.chat
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-03
- Original CVE updated
- 2026-07-14
- Advisory published
- 2026-04-03
- Advisory updated
- 2026-07-14
Who should care
Users of Prompts.chat prior to commit 1464475 should be aware of this vulnerability and take steps to mitigate it. Authenticated users of the affected versions are at risk of being exploited. The vulnerability can be used to access internal services, probe internal networks, and exfiltrate data.
Technical summary
The vulnerability exists in the Wiro media generator of Prompts.chat prior to commit 1464475. An authenticated user can send a POST request to the /api/media-generate endpoint with a user-controlled inputImageUrl parameter, which can be used to probe internal networks, access internal services, and exfiltrate data through the upstream Wiro service without receiving direct response bodies. The vulnerability has a CVSS score of 5.3 and a severity of MEDIUM. The affected product deployments should be reviewed to determine the potential impact.
Defensive priority
Medium priority should be given to patching this vulnerability, as it allows for server-side request forgery and could be used to access internal services.
Recommended defensive actions
- Apply the patch at commit 1464475
- Review and update the inputImageUrl parameter validation
- Monitor for suspicious activity on the /api/media-generate endpoint
- Implement additional security measures to protect internal services
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-04-03T21:17:09.163Z and last modified on 2026-07-14T16:16:50.277Z. The NVD entry is currently Analyzed. The vulnerability details are based on the information available from the CVE record and NVD entry. However, the accuracy of this information is limited by the details provided in the source corpus. Further verification is recommended to confirm the affected scope and severity.
Official resources
-
CVE-2026-22662 CVE record
CVE.org
-
CVE-2026-22662 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Issue Tracking, Mitigation, Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-04-03T21:17:09.163Z and has not been modified since then. The NVD entry is currently Analyzed.