CVE-2026-40089 - Vulnerability Analysis
CriticalCVSS: 9.9Last Updated: April 9, 2026
Sonicverse - Server-Side Request Forgery
Published: April 9, 2026Updated: April 9, 2026Remote Exploitable
Overview
Sonicverse contains a server-side request forgery caused by insufficient validation of user-controlled URLs in the dashboard API client, letting authenticated operators make arbitrary HTTP requests from the backend.
Severity & Score
Severity: Critical
CVSS Score: 9.9
Impact
Authenticated operators can make arbitrary HTTP requests from the backend, potentially accessing internal or external systems.
Mitigation
Update to the version including commit cb1ddbacafcb441549fe87d3eeabdb6a085325e4 or later.
References
Related Resources
Details
- CVE ID
- CVE-2026-40089
- Severity
- Critical
- CVSS Score
- 9.9
- Type
- server_side_request_forgery
- Status
- new
CWE
- CWE-918
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L