PatchSiren cyber security CVE debrief
CVE-2026-11437 perfree CVE debrief
A vulnerability was found in perfree go-fastdfs-web up to 1.3.7. The function checkServer in the file /install/checkServer of the Installation Endpoint is affected, allowing for server-side request forgery (SSRF). The attack can be executed remotely. The exploit has been published and may be used.
- Vendor
- perfree
- Product
- go-fastdfs-web
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-06
- Original CVE updated
- 2026-06-08
- Advisory published
- 2026-06-06
- Advisory updated
- 2026-06-08
Who should care
Users of perfree go-fastdfs-web up to 1.3.7 should be aware of this vulnerability and take necessary actions to mitigate the risk.
Technical summary
The vulnerability is caused by a flaw in the checkServer function of the /install/checkServer endpoint, which allows for SSRF. The CVSS score is 5.5 (MEDIUM).
Defensive priority
MEDIUM
Recommended defensive actions
- Update to a version of go-fastdfs-web that is not vulnerable.
- Implement additional security measures to prevent SSRF attacks.
Evidence notes
The vendor was contacted early about this disclosure but did not respond in any way.
Official resources
CVE-2026-11437 was published on 2026-06-06T17:16:41.557Z and modified on 2026-06-08T14:57:14.757Z.