CVE-2026-41689: Php Curl Ssrf Unresolved
Unvalidated user input is passed directly to `CURLOPT_URL` without network validation. This acts as a vector for Server-Side Request Forgery (SSRF). In the absence of strict URL parameter limitation or DNS rebinding protections like `CURLOPT_RESOLVE`, an attacker can leverage the server to traverse and issue requests to internal automated services.
Provally CuratedPublic repositoryMediumMedium confidenceVerifiedApache-2.0
PHPβ
PHPβgreprules fetch cve-2026-41689-php-curl-ssrf-unresolved --engine opengrepDescription
Unvalidated user input is passed directly to `CURLOPT_URL` without network validation. This acts as a vector for Server-Side Request Forgery (SSRF). In the absence of strict URL parameter limitation or DNS rebinding protections like `CURLOPT_RESOLVE`, an attacker can leverage the server to traverse and issue requests to internal automated services.
Community feedback
0 signals from signed-in users.
- Useful
- 0
- False positive
- 0
- Metadata
- 0