Description
A vulnerability has been found in Woahai321 ListSync up to 0.6.6. This issue affects the function requests.post of the file list-sync-main/api_server.py of the component JSON Handler. The manipulation leads to server-side request forgery. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-03-11
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server-Side Request Forgery
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in the JSON Handler component of Woahai321 ListSync. Specifically the requests.post function in list-sync-main/api_server.py is unvalidated and allows an attacker to forge outbound requests from the server to arbitrary URLs. An attacker can exploit this remotely by crafting a malicious payload that triggers the server to resolve and request internal or external resources, potentially leading to credential leakage, denial of service, or access to sensitive data. The weakness is identified as CWE‑918: Server‑Side Request Forgery.

Affected Systems

Affected vendor and product: Woahai321:ListSync. Versions up to and including 0.6.6 are affected. No other vendors or products are listed. Users running version 0.6.6 or earlier should verify if they have been patched or consider upgrading after a fix is released.

Risk and Exploitability

The CVSS score is 5.3, indicating a moderate severity. The EPSS score is below 1%, suggesting a low likelihood of exploitation at the moment, and the vulnerability is not listed in the CISA KEV catalog. Attackers would need remote access to craft the payload and the application must allow outbound requests, a condition often satisfied in typical deployments. Because the flaw is in an external library call, automated exploitation is feasible once a valid endpoint is supplied.

Generated by OpenCVE AI on March 17, 2026 at 16:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor-provided patch or upgrade to a later, unaffected version of ListSync as soon as it becomes available.
  • If a patch is not yet released, constrain the application’s outbound network reach by using a firewall or network policy to block unexpected HTTP(S) connections, allowing only whitelisted domains.
  • Configure the API server or application to validate or filter URLs before making outbound requests; if the configuration supports a URL whitelist, enforce it.
  • Monitor application logs for abnormal outbound request activity and investigate any suspicious connections.
  • Regularly run vulnerability scanning tools against the application to detect and remediate similar weaknesses.

Generated by OpenCVE AI on March 17, 2026 at 16:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Woahai321
Woahai321 listsync
Vendors & Products Woahai321
Woahai321 listsync

Wed, 11 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in Woahai321 ListSync up to 0.6.6. This issue affects the function requests.post of the file list-sync-main/api_server.py of the component JSON Handler. The manipulation leads to server-side request forgery. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Title Woahai321 ListSync JSON api_server.py requests.post server-side request forgery
Weaknesses CWE-918
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Woahai321 Listsync
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-12T19:29:05.864Z

Reserved: 2026-03-11T12:36:03.541Z

Link: CVE-2026-3958

cve-icon Vulnrichment

Updated: 2026-03-12T19:29:00.676Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-11T22:16:36.980

Modified: 2026-03-12T21:07:53.427

Link: CVE-2026-3958

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:36:54Z

Weaknesses