CVE-2026-41644

UNKNOWN 0.0

monetr is vulnerable to server-side request forgery in Lunch Flow link creation and refresh

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

monetr is a budgeting application for recurring expenses. Prior to version 1.12.5, a server-side request forgery (SSRF) vulnerability in monetr's Lunch Flow integration allowed any authenticated user on a self-hosted instance to cause the monetr server to issue HTTP GET requests to arbitrary URLs supplied by the caller, with the response body from non-200 upstream responses reflected back in the API error message. This issue has been patched in version 1.12.5.

CWE	CWE-209 CWE-770 CWE-918
Vendor	monetr
Product	monetr
Published	May 7, 2026
Last Updated	May 7, 2026

Stay Ahead of the Next One

Get instant alerts for monetr monetr

Be the first to know when new unknown vulnerabilities affecting monetr monetr are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

monetr / monetr

< 1.12.5

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/monetr/monetr/security/advisories/GHSA-29v9-frvh-c426 github.com: https://github.com/monetr/monetr/pull/3122 github.com: https://github.com/monetr/monetr/commit/c260caa3c573a4a396ec2d264c7641a5d958385b github.com: https://github.com/monetr/monetr/releases/tag/v1.12.5