Description
A vulnerability has been found in zhutoutoutousan worldquant-miner up to 1.0.9. The impacted element is an unknown function of the file worldquant-miner-master/agent-dify-api/core/helper/ssrf_proxy.py of the component URL Handler. The manipulation of the argument make_request leads to server-side request forgery. The attack can be initiated remotely. The attack's complexity is rated as high. The exploitability is regarded as difficult. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-02-19
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server-side request forgery (SSRF).
Action: Assess Impact
AI Analysis

Impact

A server‑side request forgery flaw exists in the worldquant‑miner application through the unvalidated handling of the make_request argument in ssrf_proxy.py, allowing an attacker to cause the server to forward requests to arbitrary URLs. The vulnerability has a reported CVSS score of 6.3, indicating moderate severity, and the exploitability is considered difficult with high complexity. The impact can include unauthorized access to internal services, exfiltration of sensitive data, or disruption of services by relaying malicious requests, though the specific damage to confidentiality or integrity is not detailed in the description.

Affected Systems

The flaw affects installations of the worldquant‑miner application, released by zhutoutoutousan, for all versions up to and including 1.0.9. Any deployment using the worldquant‑miner-master/agent-dify-api/core/helper/ssrf_proxy.py module is potentially vulnerable.

Risk and Exploitability

The CVSS score of 6.3 reflects a moderate exploit risk, while the EPSS score of < 1 % suggests a low probability of exploitation in the current environment. The vulnerability is not listed in the CISA KEV catalog. Attackers could trigger the SSRF remotely by providing crafted input to the make_request function, provided they have network access to the target server. Due to the high complexity and difficulty rating, successful exploitation would require significant effort and a detailed understanding of the target’s internal network topology.

Generated by OpenCVE AI on April 18, 2026 at 19:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade worldquant‑miner to a version newer than 1.0.9 that addresses the SSRF issue.
  • If no patch is available, modify ssrf_proxy.py to validate all outbound URLs against a strict whitelist of approved domains and IP ranges before forwarding.
  • Configure firewall or network segmentation rules to block outbound HTTP or HTTPS traffic from the application to sensitive internal hosts, thereby preventing unauthenticated third‑party entities from initiating SSRF actions.

Generated by OpenCVE AI on April 18, 2026 at 19:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Feb 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Zhutoutoutousan
Zhutoutoutousan worldquant-miner
Vendors & Products Zhutoutoutousan
Zhutoutoutousan worldquant-miner

Thu, 19 Feb 2026 07:45:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in zhutoutoutousan worldquant-miner up to 1.0.9. The impacted element is an unknown function of the file worldquant-miner-master/agent-dify-api/core/helper/ssrf_proxy.py of the component URL Handler. The manipulation of the argument make_request leads to server-side request forgery. The attack can be initiated remotely. The attack's complexity is rated as high. The exploitability is regarded as difficult. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Title zhutoutoutousan worldquant-miner URL ssrf_proxy.py server-side request forgery
Weaknesses CWE-918
References
Metrics cvssV2_0

{'score': 5.1, 'vector': 'AV:N/AC:H/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 5.6, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 5.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Zhutoutoutousan Worldquant-miner
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T10:29:40.676Z

Reserved: 2026-02-18T20:06:38.213Z

Link: CVE-2026-2711

cve-icon Vulnrichment

Updated: 2026-02-19T21:31:50.904Z

cve-icon NVD

Status : Deferred

Published: 2026-02-19T08:16:16.737

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-2711

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T19:45:08Z

Weaknesses