# Vulnerability Summary: SSRF Vulnerability in Typecho 1.3.0 and Earlier Versions ## Vulnerability Overview In Typecho 1.3.0 and earlier versions, the `/actions/service?do=ping` endpoint is vulnerable to Server-Side Request Forgery (SSRF). This vulnerability is caused by insufficient timestamp token validation and insecure handling of Pingback requests within the Pingback workflow. Attackers can exploit this vulnerability without authentication by crafting malicious POST requests, inducing the server to initiate requests to internal addresses or addresses controlled by the attacker. This may enable internal network probing, service scanning, or access to sensitive internal resources. ## Affected Scope - **Affected Versions**: Typecho 1.3.0 and earlier - **Trigger Path**: `/actions/service?do=ping` endpoint - **Attack Conditions**: Unauthenticated - **Potential Impact**: Internal network access, service discovery, and interaction with exposed internal services ## Remediation - The vendor was notified on March 4, 2026; however, as of the submission date (April 6, 2026), no public fix or confirmation has been released. - Users are advised to upgrade to a patched version or temporarily disable the `/actions/service?do=ping` endpoint. - Strengthen security validation for timestamp tokens and request targets within the Pingback functionality. ## POC / Exploit Code > The page explicitly states: “This submission intentionally omits weaponized proof-of-concept details to reduce risk to users.” > **Therefore, no fully functional POC code is provided.** --- **Source Link**: https://wang1r.github.io/2026/03/04/CVE-Report-Typecho-v1-3-0-SSRF/ **Submitter**: wang1r (UID 96111) **Submission Time**: 2026-03-06 10:44 AM **Review Time**: 2026-04-25 04:11 PM **Status**: Published **VulDB Entry**: [Typecho up to 1.3 Ping Back Service Endpoint via Widget/Service.php Service::sendPingHandle X-Pingback/link server-side request forgery](https://vuldb.com/?id.277772) **Points**: 20