Vendor
An authenticated Server-Side Request Forgery (SSRF) vulnerability exists in CloudTAK's `/api/esri*` routes, allowing any authenticated user to compel the server to make arbitrary outbound HTTP requests to internal network resources, enabling attackers to access sensitive cloud instance metadata, enumerate internal services, and exfiltrate data by reflecting the response bodies.