{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/coreworxlab/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-8725"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["CAAL (\u003c= 1.6.0)"],"_cs_severities":["high"],"_cs_tags":["ssrf","vulnerability"],"_cs_type":"advisory","_cs_vendors":["CoreWorxLab"],"content_html":"\u003cp\u003eCVE-2026-8725 is a server-side request forgery (SSRF) vulnerability affecting CoreWorxLab CAAL (version 1.6.0 and earlier). The vulnerability is located in the \u003ccode\u003esrc/caal/webhooks.py\u003c/code\u003e file within the test-hass Endpoint component. An attacker can manipulate an unknown function to cause the server to make unintended HTTP requests to internal or external resources. Publicly available exploit code exists, increasing the risk of exploitation. The vendor, CoreWorxLab, was notified but did not respond. This vulnerability allows a remote, unauthenticated attacker to potentially access sensitive internal resources or trigger other actions on the internal network.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable CoreWorxLab CAAL instance running version 1.6.0 or earlier.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the test-hass endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a payload designed to manipulate the \u003ccode\u003esrc/caal/webhooks.py\u003c/code\u003e file\u0026rsquo;s vulnerable function.\u003c/li\u003e\n\u003cli\u003eThe manipulated function constructs an HTTP request based on attacker-controlled parameters.\u003c/li\u003e\n\u003cli\u003eThe CAAL server sends the crafted HTTP request to an internal or external resource.\u003c/li\u003e\n\u003cli\u003eThe attacker observes the response from the targeted resource, gaining unauthorized access to internal information or services.\u003c/li\u003e\n\u003cli\u003eThe attacker may use the SSRF vulnerability to scan internal networks, enumerate services, and identify further attack vectors.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-8725 enables attackers to perform unauthorized actions on the vulnerable server\u0026rsquo;s internal network. This could lead to the disclosure of sensitive information, the compromise of internal services, or further exploitation of other vulnerabilities within the network. Since a public exploit exists, unpatched instances are at high risk of compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade CoreWorxLab CAAL to a version beyond 1.6.0 that addresses CVE-2026-8725.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect CVE-2026-8725 SSRF Attempt via Webhooks\u003c/code\u003e to detect suspicious requests targeting the vulnerable endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual outbound connections originating from the CAAL server, which could indicate SSRF activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-17T02:17:57Z","date_published":"2026-05-17T02:17:57Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-8725-ssrf/","summary":"A server-side request forgery (SSRF) vulnerability, identified as CVE-2026-8725, exists in CoreWorxLab CAAL up to version 1.6.0, allowing remote attackers to potentially trigger internal requests.","title":"CVE-2026-8725 - CoreWorxLab CAAL SSRF Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-8725-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed — CoreWorxLab","version":"https://jsonfeed.org/version/1.1"}