Description
An issue in the loopback request handling component of fossar selfoss v2.20-SNAPSHOT allows attackers to execute arbitrary commands and obtain sensitive information via supplying a crafted HTTP request.
Published: 2026-06-15
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An attacker can gain full control of the server by sending a specially crafted HTTP request to the loopback request handling component of the fossar selfoss v2.20-SNAPSHOT. The flaw allows execution of arbitrary commands and the disclosure of sensitive data, directly violating the confidentiality, integrity, and availability of the affected system. The weakness is a classic code injection problem (CWE‑94).

Affected Systems

The vulnerability affects the fossar selfoss v2.20-SNAPSHOT web application. No other affected product versions are listed in the advisory.

Risk and Exploitability

The security community rates this flaw with a CVSS score of 9.8, indicating a critical threat. The EPSS score suggests that public exploitation is unlikely (< 1 %), and the vulnerability is not currently listed in the CISA KEV catalog. Nevertheless, the flaw is life‑changing if an attacker can reach the loopback handling path, for example over the public network or through an internal compromise. The likely attack vector is network‑based, exploiting the exposed HTTP endpoint. Based on the description, it is inferred that the attacker must be able to send a crafted HTTP request to the loopback handler, implying that the endpoint must be reachable over the network. Organizations should treat this as a high‑priority vulnerability requiring immediate action.

Generated by OpenCVE AI on June 18, 2026 at 01:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade selfoss to a version that contains the loopback handler fix; if a newer release is unavailable, migrate to the latest stable release.
  • Restrict access to the loopback request handling endpoint to the localhost interface only, or block the endpoint entirely with a firewall.
  • Disable or test disable the loopback functionality in a staging environment and validate that no external requests can reach it.

Generated by OpenCVE AI on June 18, 2026 at 01:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Fossar
Fossar selfoss
Vendors & Products Fossar
Fossar selfoss

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Arbitrary Command Execution via Crafted HTTP Request in fossar selfoss v2.20-SNAPSHOT

Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Title Arbitrary Command Execution via Crafted HTTP Request in fossar selfoss v2.20-SNAPSHOT

Tue, 16 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-94
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Description An issue in the loopback request handling component of fossar selfoss v2.20-SNAPSHOT allows attackers to execute arbitrary commands and obtain sensitive information via supplying a crafted HTTP request.
References

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-16T14:23:11.402Z

Reserved: 2026-06-07T00:00:00.000Z

Link: CVE-2026-50872

cve-icon Vulnrichment

Updated: 2026-06-16T14:23:05.092Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T20:16:29.993

Modified: 2026-06-16T15:50:58.757

Link: CVE-2026-50872

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:46:24Z

Weaknesses
  • CWE-94

    Improper Control of Generation of Code ('Code Injection')