Vendor
An unauthenticated server-side request forgery vulnerability, tracked as CVE-2026-63306, exists in stoatchat versions prior to 0.13.5 in the /proxy and /embed endpoints, allowing attackers to enumerate internal services, fingerprint applications, and access instance metadata endpoints, leading to unauthorized information disclosure and potential further compromise of internal infrastructure.