CVE Catalog

CVE-2026-22662

MediumCVSS 4.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.20%

9th percentile - higher than 9% of all known CVEs

Summary

The vulnerability in prompts.chat prior to commit 1464475 allows authenticated users to perform blind server-side request forgery (SSRF) via the inputImageUrl parameter in the Wiro media generator. Attackers can send POST requests to the /api/media-generate endpoint to probe internal networks, access internal services, and exfiltrate data through the upstream Wiro service.

Risk Assessment

The risk includes unauthorized access to internal network resources, potential data confidentiality breaches, and the possibility of launching further attacks on the organization's internal infrastructure.

Recommendation

Immediately update prompts.chat to a version containing commit 1464475 or later, and restrict access to the /api/media-generate endpoint to trusted users only.

Original NVD description (English source)

prompts.chat prior to commit 1464475 contains a blind server-side request forgery vulnerability in the Wiro media generator that allows authenticated users to perform server-side fetches of user-controlled inputImageUrl parameters. Attackers can exploit this vulnerability by sending POST requests to the /api/media-generate endpoint to probe internal networks, access internal services, and exfiltrate data through the upstream Wiro service without receiving direct response bodies.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS