A server‑side request forgery vulnerability was discovered in the Chatwoot customer engagement platform. The flaw resides in the Webhooks::Trigger method within the lib/webhooks/trigger.rb file, where user‐supplied URLs are passed directly to outbound HTTP requests without adequate validation. By crafting a malicious payload to the webhook API, an attacker can cause the Chatwoot server to send arbitrary HTTP requests to internal or otherwise inaccessible resources, potentially enabling data exfiltration, internal network reconnaissance, or serving as a pivot for further attacks. The weakness is typical of input that controls outbound network traffic.

Any Chatwoot deployment running version 4.11.2 or earlier is impacted. The vulnerability exists in the Webhook API component, specifically in the Trigger functionality. No additional vendor product versions are listed, so all instances of Chatwoot within the affected version range should be considered vulnerable.

The CVSS base score of 5.3 categorizes the risk level as moderate, and the remote nature of the webhook endpoint means that the flaw can be triggered from any system that can reach the API. Public exploits are available, indicating that adversaries may already be leveraging the flaw. The EPSS score is not provided, and the vulnerability is not listed in the CISA KEV catalog, but the combination of a remote attack vector, lack of mandatory authentication for the endpoint, and known exploit code suggests a non‑negligible likelihood of exploitation.