Impact
A Server‑Side Request Forgery flaw exists in the automatic short URL title resolution component of Shlink v5.0.1. An attacker can supply a crafted longUrl and force Shlink to send an HTTP request to an internal host. The vulnerability gives the attacker the ability to probe internal network services, gather sensitive endpoint information, and potentially discover further attack vectors. The weakness is classified under CWE‑918.
Affected Systems
Shlink’s short URL service running version 5.0.1 is vulnerable. No other affected versions or vendors are listed in the advisory.
Risk and Exploitability
The flaw carries a CVSS score of 9.1, indicating high severity. The EPSS score is listed as < 1%, suggesting that the exploitation probability is low at present. The vulnerability is not present in the CISA KEV catalog. Attacks would likely be performed from an external host by leveraging the public Shlink instance to initiate internal requests.
OpenCVE Enrichment