Impact
An attacker can gain full control of the server by sending a specially crafted HTTP request to the loopback request handling component of the fossar selfoss v2.20-SNAPSHOT. The flaw allows execution of arbitrary commands and the disclosure of sensitive data, directly violating the confidentiality, integrity, and availability of the affected system. The weakness is a classic code injection problem (CWE‑94).
Affected Systems
The vulnerability affects the fossar selfoss v2.20-SNAPSHOT web application. No other affected product versions are listed in the advisory.
Risk and Exploitability
The security community rates this flaw with a CVSS score of 9.8, indicating a critical threat. The EPSS score suggests that public exploitation is unlikely (< 1 %), and the vulnerability is not currently listed in the CISA KEV catalog. Nevertheless, the flaw is life‑changing if an attacker can reach the loopback handling path, for example over the public network or through an internal compromise. The likely attack vector is network‑based, exploiting the exposed HTTP endpoint. Based on the description, it is inferred that the attacker must be able to send a crafted HTTP request to the loopback handler, implying that the endpoint must be reachable over the network. Organizations should treat this as a high‑priority vulnerability requiring immediate action.
OpenCVE Enrichment