Product
An unauthenticated Server-Side Request Forgery (SSRF) vulnerability, tracked as CVE-2026-52769, exists in YesWiki's `POST /api/forms/{formId}/actor/inbox` route when ActivityPub is enabled, allowing attackers to force arbitrary outbound HTTP GET requests to internal or external hosts and potentially exfiltrate sensitive information via timing and error messages.