CVE-2026-1884 - Vulnerability Details

- ZenTao Webhook model.php fetchHook server-side request forgery

Description

A weakness has been identified in ZenTao up to 21.7.6-85642. The impacted element is the function fetchHook of the file module/webhook/model.php of the component Webhook Module. This manipulation causes server-side request forgery. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Published: 2026-02-04

Score: 5.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The ZenTao Webhook model.php fetchHook function contains a server‑side request forgery vulnerability that allows an attacker to force the application to make HTTP requests to arbitrary URLs. If exploited, the attacker could access internal resources, exfiltrate data, or use the system as a pivot to reach restricted services. The weakness is classified as CWE‑918.

Affected Systems

All releases of ZenTao up to version 21.7.6‑85642 are affected. The vulnerability resides in the Webhook Module component, specifically in the fetchHook method. Users of ZenTao product legacy releases should verify their version and plan to upgrade.

Risk and Exploitability

The measured CVSS score is 5.1, indicating moderate severity. The EPSS score is below 1%, suggesting a low exploitation probability in the wild at the time of analysis, although an exploit has already been made publicly available. The vulnerability can be triggered remotely through the webhook endpoint and does not require privileged credentials. Since it is not listed in KEV, no immediate coordinated mitigation guidance exists.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

ZenTao

affected

Version	Status	Constraints
`21.7.6-85642`	affected	—

Configuration 1 [-]

cpe:2.3:a:zentao:zentao:*:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Zentao	Zentao	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade ZenTao to a version later than 21.7.6‑85642 that contains the fix.
Restrict webhook traffic to a trusted network or enforce IP whitelisting to reduce exposure.
Disable the Webhook Module or, if disabling is not possible, run the application behind a web application firewall that blocks outbound requests to internal IP ranges.

Generated by OpenCVE AI on April 17, 2026 at 23:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00015.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/ez-lbz/ez-lbz.github.io/issues/9
https://github.com/ez-lbz/ez-lbz.github.io/issues/9#issue-3832844574
https://vuldb.com/?ctiid.344264
https://vuldb.com/?id.344264
https://vuldb.com/?submit.742633

History

Wed, 11 Feb 2026 19:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:zentao:zentao::::::::

Thu, 05 Feb 2026 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 05 Feb 2026 11:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Zentao Zentao zentao
Vendors & Products		Zentao Zentao zentao

Wed, 04 Feb 2026 21:45:00 +0000

Type	Values Removed	Values Added
Description		A weakness has been identified in ZenTao up to 21.7.6-85642. The impacted element is the function fetchHook of the file module/webhook/model.php of the component Webhook Module. This manipulation causes server-side request forgery. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Title		ZenTao Webhook model.php fetchHook server-side request forgery
Weaknesses		CWE-918
References		https://github.com/ez-lbz/ez-lbz.github.io/issues/9 https://github.com/ez-lbz/ez-lbz.github.io/issues/9#issue-3832844574 https://vuldb.com/?ctiid.344264 https://vuldb.com/?id.344264 https://vuldb.com/?submit.742633
Metrics		cvssV2_0 `{'score': 5.8, 'vector': 'AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 4.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Zentao Zentao

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-02-04T21:32:08.978Z

Updated: 2026-02-23T09:16:38.821Z

Reserved: 2026-02-04T14:17:45.454Z

Link: CVE-2026-1884

Vulnrichment

Updated: 2026-02-05T20:23:27.173Z

NVD

Status : Analyzed

Published: 2026-02-04T22:15:57.933

Modified: 2026-02-11T19:15:12.930

Link: CVE-2026-1884

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T23:15:30Z

Weaknesses

CWE-918

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object