Vendor
DeepSeek TUI is vulnerable to a Server-Side Request Forgery (SSRF) attack (CVE-2026-45310) because the `fetch_url` tool validates the initial URL against a restricted-IP blocklist but fails to re-validate redirect targets, allowing attackers to exfiltrate sensitive information from cloud-hosted instances by using a redirect to a restricted IP address.