Home / Vulnerability Intelligence / CVE-2026-30832

CVE-2026-30832 - Vulnerability Analysis

CriticalCVSS: 9.1

Last Updated: March 9, 2026

Soft Serve - Server-Side Request Forgery

Published: March 7, 2026Updated: March 9, 2026Remote Exploitable

Overview

Soft Serve 0.6.0 to < 0.11.4 contains a server-side request forgery caused by crafted --lfs-endpoint URL in repo import, letting authenticated SSH users make HTTP requests to internal IPs, exploit requires authentication.

Severity & Score

Severity: Critical

CVSS Score: 9.1

EPSS Score: 3.6%(Probability of exploitation in next 30 days)

Impact

Authenticated attackers can make HTTP requests to internal services, potentially leading to unauthorized internal data access.

Mitigation

Upgrade to version 0.11.4 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 8, 2026

🔴 CVE-2026-30832 - Critical (9.1) Soft Serve is a self-hostable Git server for the command line. From version 0.6.0 to before version 0.11.4, an authenticated SSH user can force the server to make HTTP requests to internal/private IP addresses by running repo import with a crafted... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-30832/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-30832
Severity: Critical
CVSS Score: 9.1
Type: server_side_request_forgery
Status: unconfirmed
EPSS: 3.6%
Social Posts: 1

CWE

CWE-918

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L

EPSS Score

3.6%Probability of exploitation in the next 30 days