CVE-2026-6979— devlikeapro WAHA API Request media.controller.ts server-side request forgery

devlikeapro WAHA API Request media.controller.ts server-side request forgery

A flaw has been found in devlikeapro WAHA up to 2026.3.4. This affects an unknown function of the file src/api/media.controller.ts of the component API Request Handler. This manipulation causes server-side request forgery. The attack can be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

服务端请求伪造(SSRF)

WAHA 代码问题漏洞

WAHA是devlikeapro开源的一个WhatsApp HTTP API服务工具。 WAHA 2026.3.4及之前版本存在代码问题漏洞，该漏洞源于组件API Request Handler中文件src/api/media.controller.ts的未知功能，可能导致服务端请求伪造。

N/A

N/A