Description
A flaw has been found in perfree go-fastdfs-web up to 1.3.7. Affected is the function checkServer of the file /install/checkServer of the component Installation Endpoint. Executing a manipulation can lead to server-side request forgery. The attack can be executed remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-06-06
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability targets the checkServer function of go‑fastdfs‑web’s installation endpoint, allowing an attacker to trigger arbitrary outbound HTTP requests from the server. This server‑side request forgery (SSRF) can expose internal services or confidential data, compromising confidentiality and integrity. The weakness is classified as CWE‑918.

Affected Systems

The affected product is perfree’s go‑fastdfs‑web, any release up to and including 1.3.7 that exposes the /install/checkServer endpoint is vulnerable. No additional version details are listed, so all 1.3.7 releases are considered at risk unless patched.

Risk and Exploitability

The CVSS score is 6.9, indicating moderate severity, while the EPSS score is not available, so the likelihood of exploitation is uncertain. The vulnerability is not present in the CISA KEV catalog, but an exploit has already been published and is usable. Attackers can invoke the flaw remotely through the publicly accessible installation endpoint, making the risk significant for exposed installations.

Generated by OpenCVE AI on June 6, 2026 at 17:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑issued patch or upgrade to a fixed release of go‑fastdfs‑web.
  • Restrict external access to the /install/checkServer endpoint using firewall rules or authentication.
  • Configure outbound network filtering to block unexpected internal requests from the web server, limiting the attack surface.

Generated by OpenCVE AI on June 6, 2026 at 17:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 06 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description A flaw has been found in perfree go-fastdfs-web up to 1.3.7. Affected is the function checkServer of the file /install/checkServer of the component Installation Endpoint. Executing a manipulation can lead to server-side request forgery. The attack can be executed remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title perfree go-fastdfs-web Installation Endpoint checkServer server-side request forgery
First Time appeared Perfree
Perfree go-fastdfs-web
Weaknesses CWE-918
CPEs cpe:2.3:a:perfree:go-fastdfs-web:*:*:*:*:*:*:*:*
Vendors & Products Perfree
Perfree go-fastdfs-web
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Perfree Go-fastdfs-web
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-06T16:30:12.201Z

Reserved: 2026-06-05T22:12:51.217Z

Link: CVE-2026-11437

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-06T17:16:41.557

Modified: 2026-06-06T17:16:41.557

Link: CVE-2026-11437

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-06T19:00:12Z

Weaknesses