Impact
The vulnerability is an incorrect access control bug in the webhook management component of Project Firefly III version 6.5.9. A crafted POST request can bypass authentication and allow an attacker to scan internal resources, potentially exposing sensitive data. This flaw is identified as CWE-284 and results in data disclosure and possible extension to further exploitation.
Affected Systems
Installations running Project Firefly III v6.5.9 are affected. No other vendor or product identifiers are listed; the issue resides in the open‑source code package shipped with that release.
Risk and Exploitability
A CVSS score of 9.1 signals critical severity, while an EPSS score of less than 1% shows a low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to reach the web application over the network to send the malicious POST request, making the exploit straightforward for anyone with such access.
OpenCVE Enrichment