Vulnerability Description
prompts.chat prior to commit 1464475 contains a blind server-side request forgery vulnerability in the Wiro media generator that allows authenticated users to perform server-side fetches of user-controlled inputImageUrl parameters. Attackers can exploit this vulnerability by sending POST requests to the /api/media-generate endpoint to probe internal networks, access internal services, and exfiltrate data through the upstream Wiro service without receiving direct response bodies.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Fka | Prompts.Chat | < 2026-03-24 |
Related Weaknesses (CWE)
References
- https://github.com/f/prompts.chat/commit/1464475df2698fb7ccd0cdbc382b0750466f891Patch
- https://github.com/f/prompts.chat/pull/1102Issue TrackingMitigationVendor Advisory
- https://www.vulncheck.com/advisories/prompts-chat-blind-ssrf-via-media-generateThird Party Advisory
FAQ
What is CVE-2026-22662?
CVE-2026-22662 is a vulnerability with a CVSS score of 4.3 (MEDIUM). prompts.chat prior to commit 1464475 contains a blind server-side request forgery vulnerability in the Wiro media generator that allows authenticated users to perform server-side fetches of user-contr...
How severe is CVE-2026-22662?
CVE-2026-22662 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-22662?
Check the references section above for vendor advisories and patch information. Affected products include: Fka Prompts.Chat.