Description
A Server-Side Request Forgery (SSRF) in the automatic short URL title resolution component of shlink v5.0.1 allows attackers to scan internal resources via supplying a crafted longUrl.
Published: 2026-06-15
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A Server‑Side Request Forgery flaw exists in the automatic short URL title resolution component of Shlink v5.0.1. An attacker can supply a crafted longUrl and force Shlink to send an HTTP request to an internal host. The vulnerability gives the attacker the ability to probe internal network services, gather sensitive endpoint information, and potentially discover further attack vectors. The weakness is classified under CWE‑918.

Affected Systems

Shlink’s short URL service running version 5.0.1 is vulnerable. No other affected versions or vendors are listed in the advisory.

Risk and Exploitability

The flaw carries a CVSS score of 9.1, indicating high severity. The EPSS score is listed as < 1%, suggesting that the exploitation probability is low at present. The vulnerability is not present in the CISA KEV catalog. Attacks would likely be performed from an external host by leveraging the public Shlink instance to initiate internal requests.

Generated by OpenCVE AI on June 18, 2026 at 01:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Shlink to the latest patch that removes the SSRF vector
  • Disable the automatic short URL title resolution feature if it is not required
  • Configure outbound request filtering or a proxy to restrict Shlink’s HTTP connections to only trusted destinations

Generated by OpenCVE AI on June 18, 2026 at 01:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Shlink
Shlink shlink
Vendors & Products Shlink
Shlink shlink

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Server‑Side Request Forgery in Shlink Title Resolution

Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Title Server‑Side Request Forgery in Shlink Title Resolution

Tue, 16 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-918
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Description A Server-Side Request Forgery (SSRF) in the automatic short URL title resolution component of shlink v5.0.1 allows attackers to scan internal resources via supplying a crafted longUrl.
References

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-16T14:54:18.538Z

Reserved: 2026-06-07T00:00:00.000Z

Link: CVE-2026-50887

cve-icon Vulnrichment

Updated: 2026-06-16T14:53:14.596Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T20:16:31.687

Modified: 2026-06-16T15:50:58.757

Link: CVE-2026-50887

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:46:09Z

Weaknesses
  • CWE-918

    Server-Side Request Forgery (SSRF)