CVE-2026-12095

HIGH 7.2

Kargo Takip <= 1.2 - Unauthenticated Server-Side Request Forgery via 'api_url' Parameter

CVSS Score

7.2

EPSS Score

0.0%

EPSS Percentile

0th

The Kargo Takip plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.2 via the 'api_url' parameter. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. The script echoes internal API response data (specifically the value of any 'auth' key in a JSON response body) verbatim back to the attacker's browser, enabling direct exfiltration of responses from internal services such as cloud instance metadata endpoints.

CWE	CWE-918
Vendor	bytuncay
Product	kargo takip
Published	Jun 24, 2026

Stay Ahead of the Next One

Get instant alerts for bytuncay kargo takip

Be the first to know when new high vulnerabilities affecting bytuncay kargo takip are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

bytuncay / Kargo Takip

0 ≤ 1.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/79d91300-b6b7-4c3f-89b1-c48b9e47c415?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/kargo-takip/trunk/ui/decodeandview.php#L21 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/kargo-takip/trunk/ui/decodeandview.php#L3 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/kargo-takip/trunk/ui/decodeandview.php#L28

Credits

YU-SHENG YU