PatchSiren cyber security CVE debrief
CVE-2026-30118 scalar CVE debrief
CVE-2026-30118 describes a critical unauthenticated server-side request forgery (SSRF) issue in scalar/astro v0.1.13, centered on the Scalar Proxy endpoint’s scalar_url query parameter. An attacker can cause the backend to issue HTTP requests to attacker-controlled destinations, which may expose authentication cookies and headers and could support privilege escalation if sensitive requests are proxied.
- Vendor
- scalar
- Product
- astro
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-19
- Original CVE updated
- 2026-05-20
- Advisory published
- 2026-05-19
- Advisory updated
- 2026-05-20
Who should care
Administrators, operators, and developers running scalar/astro v0.1.13 or any deployment that exposes the Scalar Proxy endpoint should treat this as urgent. Teams that rely on the backend to reach internal services, forward headers, or handle authenticated sessions are at highest risk.
Technical summary
The provided CVE description states that the Scalar Proxy endpoint accepts a scalar_url query parameter that can be abused to direct backend-originated HTTP requests to arbitrary attacker-controlled URLs. Because the issue is reachable without authentication and the CVSS vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, the primary security concern is SSRF-driven exposure of cookies and headers, with possible downstream privilege escalation. The supplied NVD metadata marks the vulnerability status as Deferred and includes CWE-918.
Defensive priority
Critical / immediate. This is a network-reachable, unauthenticated SSRF with high confidentiality, integrity, and availability impact in the supplied assessment, so exposed deployments should be reviewed and mitigated as soon as possible.
Recommended defensive actions
- Inventory all deployments of scalar/astro and confirm whether v0.1.13 is in use.
- Upgrade to a non-vulnerable release as soon as the upstream project provides a fixed version.
- If immediate upgrading is not possible, disable or tightly restrict the Scalar Proxy endpoint and any user-controlled outbound fetch behavior.
- Block or constrain backend egress to untrusted destinations using network controls and allowlists.
- Ensure authentication cookies, authorization headers, and other sensitive headers are not forwarded to arbitrary URLs.
- Review logs and telemetry for unusual proxy targets or unexpected outbound request patterns.
- If exposure is suspected, rotate affected credentials or session secrets according to your incident response procedures.
Evidence notes
The debrief is based only on the supplied CVE description and the provided NVD record. The NVD metadata states vulnStatus: Deferred, references the GitHub repository prassan10/ssrf-zero-click-ato-scalar, and maps the weakness to CWE-918. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. No CPE criteria were provided in the source metadata, and the canonical vendor remains unknown in the supplied corpus.
Official resources
-
CVE-2026-30118 CVE record
CVE.org
-
CVE-2026-30118 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
Publicly disclosed in the CVE record on 2026-05-19T16:16:20.103Z; the supplied NVD record was last modified on 2026-05-20T14:16:39.930Z and marks the entry as Deferred.