CVE-2026-42261: PromptHub is an all-in-one AI toolbox for prompt, skill, and agent management. From version 0.4.9 to before version 0.5.
Summary
PromptHub versions 0.4.9 to before 0.5.4 contain an SSRF vulnerability (server-side request forgery, where an attacker tricks the server into fetching URLs they control). An authenticated endpoint allows users to supply a URL that the server fetches and returns the response, but the security check meant to block private IP addresses (internal network addresses) can be bypassed using alternate IPv6 (internet protocol version 6, the newer internet addressing system) representations. Any registered user can exploit this, or anyone on the internet if registration is enabled.
Solution / Mitigation
Update to version 0.5.4 or later, which includes a patch for this vulnerability.
Vulnerability Details
7.1(high)
EPSS: 0.0%
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
network
low
low
none
May 8, 2026
Classification
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-42261
First tracked: May 8, 2026 at 02:12 AM
Classified by LLM (prompt v3) · confidence: 85%