CVE-2026-9813

UNKNOWN 0.0

FlowIntel external reference URL probe allows server-side request forgery

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

FlowIntel up to version 3.3.0 contains a server-side request forgery (SSRF) vulnerability in the external reference URL probe functionality in app/case/task.py. An attacker who can submit an external reference URL can cause the application server to issue an HTTP HEAD request to an attacker-specified destination. Due to insufficient validation of the URL scheme and resolved destination address, affected versions may allow requests to loopback, link-local, private, reserved, or other restricted network resources, potentially enabling interaction with internal services or cloud metadata endpoints from the server's network context.

CWE	CWE-918
Vendor	flowintel
Product	flowintel
Published	May 28, 2026
Last Updated	May 28, 2026

Stay Ahead of the Next One

Get instant alerts for flowintel flowintel

Be the first to know when new unknown vulnerabilities affecting flowintel flowintel are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

flowintel / flowintel

0 < 3.3.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/flowintel/flowintel/commit/68b523b47854c54bf36fd706c0fd5353063b5409

Credits

Bilal Teke David Cruciani Alexandre Dulaunoy Codex (GPT-5.5)