CVE-2026-63088
stoatchat < 0.14.0 SSRF via DNS-based IP Blocklist Bypass
CVSS Score
8.6
EPSS Score
0.0%
EPSS Percentile
0th
stoatchat before 0.14.0 contains a server-side request forgery (SSRF) vulnerability that allows unauthenticated network-accessible attackers to bypass the DNS-based IP blocklist by exploiting incomplete address validation in the url_is_blacklisted function, which inspects only the first resolved address while the underlying HTTP client iterates all cached addresses.
| CWE | CWE-918 |
| Vendor | stoatchat |
| Product | stoatchat |
| Published | Jul 16, 2026 |
| Last Updated | Jul 16, 2026 |
Stay Ahead of the Next One
Get instant alerts for stoatchat stoatchat
Be the first to know when new high vulnerabilities affecting stoatchat stoatchat are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None
Affected Versions
stoatchat / stoatchat
0 < 0.14.0
References
github.com: https://github.com/stoatchat/stoatchat/security/advisories/GHSA-4mcc-p83c-r77q github.com: https://github.com/stoatchat/stoatchat/releases/tag/v0.14.0 github.com: https://github.com/stoatchat/stoatchat/security/advisories/GHSA-xhww-5g9p-vvq5 vulncheck.com: https://www.vulncheck.com/advisories/stoatchat-ssrf-via-dns-based-ip-blocklist-bypass
Credits
George Chen