Platform
php
Component
idno/known
Fixed in
1.6.5
1.6.4
CVE-2026-28508 is a critical Server-Side Request Forgery (SSRF) vulnerability affecting idno/known versions up to 1.6.3. This flaw allows unauthenticated attackers to bypass CSRF protection and trigger arbitrary outbound HTTP requests, potentially exposing sensitive internal data or compromising internal systems. A fix is available in version 1.6.4, and users are strongly advised to upgrade immediately.
The SSRF vulnerability in idno/known poses a significant risk because it allows attackers to bypass authentication and CSRF protections. An attacker could leverage this to make requests to internal services that are not directly accessible from the internet, such as databases, configuration management systems, or cloud instance metadata endpoints. Successful exploitation could lead to data exfiltration, privilege escalation, and potentially complete compromise of the underlying infrastructure. The ability to retrieve cloud instance metadata, for example, could expose API keys and other sensitive credentials. This vulnerability shares similarities with other SSRF exploits where attackers leverage the server as a proxy to access restricted resources.
CVE-2026-28508 was publicly disclosed on 2026-03-02. No KEV listing is currently available. There are no known public proof-of-concept exploits at this time, but the ease of exploitation suggests a high probability of exploitation if the vulnerability remains unpatched. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns.
Exploit Status
EPSS
0.13% (33% percentile)
CISA SSVC
The primary mitigation for CVE-2026-28508 is to upgrade to idno/known version 1.6.4 or later, which contains the necessary fix. If immediate upgrading is not possible, consider implementing temporary workarounds. Restrict outbound network access from the idno/known server using a firewall or network segmentation to limit the potential blast radius. Implement strict input validation and sanitization on all user-supplied URLs to prevent attackers from manipulating the request destination. Web Application Firewalls (WAFs) configured to detect and block SSRF attempts can provide an additional layer of defense. After upgrading, confirm the fix by attempting to trigger the URL unfurl service with a crafted request to an internal resource; the request should be blocked.
Update idno to version 1.6.4 or higher. This version fixes the SSRF vulnerability by implementing proper CSRF protection on the URL unfurl endpoint.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-28508 is a critical SSRF vulnerability in idno/known versions up to 1.6.3, allowing attackers to bypass CSRF protection and make arbitrary outbound HTTP requests.
You are affected if you are using idno/known versions 1.6.3 or earlier. Upgrade to 1.6.4 to resolve the vulnerability.
Upgrade to idno/known version 1.6.4 or later. As a temporary workaround, restrict outbound network access and implement strict input validation.
While no public exploits are currently known, the ease of exploitation suggests a high probability of exploitation if the vulnerability remains unpatched.
Refer to the official idno/known project website and security advisories for the latest information and updates regarding CVE-2026-28508.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.