Description
QD 20230821 is vulnerable to Server-side request forgery (SSRF) via a crafted request
Published: 2026-04-08
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery (potential internal network access and data exposure)
Action: Immediate Patch
AI Analysis

Impact

The vulnerability allows an attacker to send a crafted HTTP request that the QD service will forward to any target defined by the attacker, enabling the internal network or external resources to be accessed or enumerated. This server‑side request forgery can expose sensitive data and internal services. The weakness is classified as CWE‑918, reflecting improper validation of outbound requests. The attacker could potentially retrieve information, compromise internal hosts, or assist in further attacks such as lateral movement.

Affected Systems

The affected software is QD 20230821, a product of QD Today. The version is identified by the CPE string for QD, but no specific version range is supplied; therefore any installation of QD that includes the relevant component may be vulnerable.

Risk and Exploitability

The CVSS score of 9.1 indicates a high severity. The EPSS score of less than 1% suggests that exploitation is currently infrequent, and the vulnerability is not listed in the CISA catalog of known exploited vulnerabilities. Attackers can trigger the flaw from external networks or internal actors with network access; the likely vector is remote exploitation via crafted requests as described.

Generated by OpenCVE AI on April 14, 2026 at 21:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest QD patch once it becomes available from QD Today.
  • Restrict outbound connections from the QD service to only the endpoints required for its operation.
  • Implement network segmentation to isolate the QD service from critical internal resources.
  • Monitor outbound HTTP traffic for unusual requests that may indicate exploitation.

Generated by OpenCVE AI on April 14, 2026 at 21:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Title Server‑Side Request Forgery in QD 20230821

Tue, 14 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:qd-today:qd:*:*:*:*:*:*:*:*

Fri, 10 Apr 2026 10:00:00 +0000

Type Values Removed Values Added
Title Server‑Side Request Forgery in QD 20230821

Thu, 09 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Qd-today
Qd-today qd
Vendors & Products Qd-today
Qd-today qd

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Title Server‑Side Request Forgery in QD 20230821
Weaknesses CWE-918

Wed, 08 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
Description QD 20230821 is vulnerable to Server-side request forgery (SSRF) via a crafted request
References

Subscriptions

Qd-today Qd
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-09T20:47:17.674Z

Reserved: 2023-10-30T00:00:00.000Z

Link: CVE-2023-46945

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-08T17:17:01.010

Modified: 2026-04-14T19:29:23.040

Link: CVE-2023-46945

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T16:15:11Z

Weaknesses