# Vulnerability Summary: Blind Server Side Request Forgery in Image Edit Functionality ## Overview This is a blind Server-Side Request Forgery (Blind SSRF) vulnerability present in the functionality that allows editing images via prompts. The affected function performs a GET request on a user-provided URL without restricting the domain of the URL, thereby allowing interaction with the local address space. Since the SSRF is blind (response cannot be read), the impact is primarily port scanning, as it can confirm whether a port is open. ## Impact Scope - **Affected Versions**: " \ -H "Content-Type: application/json" \ -d '{"form_data": { "image": "", "prompt": "poc" }}' ``` ## Detailed Information - **CVSS v3 Base Metrics**: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: Low - Scope: Unchanged - Confidentiality: Low - Integrity: None - Availability: None - **CVE ID**: CVE-2026-3425 - **CWE ID**: CWE-918 - **Credits**: gg0h