Typecho <= 1.3.0 Unauthenticated SSRF in Pingback Service

Vulnerability Summary: SSRF Vulnerability in Typecho 1.3.0 and Earlier Versions Vulnerability Overview In Typecho 1.3.0 and earlier versions, the endpoint is vulnerable to Server-Side Request Forgery (SSRF). This vulnerability is caused by insufficient timestamp token validation and insecure handling of Pingback requests within the Pingback workflow. Attackers can exploit this vulnerability without authentication by crafting malicious POST requests, inducing the server to initiate requests to internal addresses or addresses controlled by the attacker. This may enable internal network probing, service scanning, or access to sensitive internal resources. Affected Scope Affected Versions: Typecho 1.3.0 and earlier Trigger Path: endpoint Attack Conditions: Unauthenticated Potential Impact: Internal network access, service discovery, and interaction with exposed internal services Remediation The vendor was notified on March 4, 2026; however, as of the submission date (April 6, 2026), no public fix or confirmation has been released. Users are advised to upgrade to a patched version or temporarily disable the endpoint. Strengthen security validation for timestamp tokens and request targets within the Pingback functionality. POC / Exploit Code > The page explicitly states: “This submission intentionally omits weaponized proof-of-concept details to reduce risk to users.” > Therefore, no fully functional POC code is provided. --- Source Link: https://wang1r.github.io/2026/03/04/CVE-Report-Typecho-v1-3-0-SSRF/ Submitter: wang1r (UID 96111) Submission Time: 2026-03-06 10:44 AM Review Time: 2026-04-25 04:11 PM Status: Published VulDB Entry: Typecho up to 1.3 Ping Back Service Endpoint via Widget/Service.php Service::sendPingHandle X-Pingback/link server-side request forgery Points: 20

Goal Reached Thanks to every supporter — we hit 100%!

Typecho <= 1.3.0 Unauthenticated SSRF in Pingback Service