[ SAMPLE ] Pipeline scaffold — replace this folder with a real post.
← All research
CVE-2026-00001 HIGH REPORTED

Sample CVE-2026-00001 — Authenticated SSRF in Example Suite

Sample research write-up — clearly marked. Demonstrates the full /research pipeline (frontmatter, prose, code blocks, callouts, figures). Replace with real findings.

Kravex · · 2 MIN READ

This is a sample post committed alongside the Phase 5 build so the publishing pipeline can be inspected end-to-end. The CVE id, the “Example Suite” target, and every code block below are fictional — replace this folder with a real finding when ready.

Background

The Example Suite admin console exposes a server-side request preview endpoint to authenticated users with the auditor role. The endpoint does not validate the destination URL beyond a hostname allowlist, which is evaluated after DNS resolution rather than before.

The vulnerability lets a low-privilege auditor pivot the application server to reach internal metadata services and adjacent containers in the same VPC.

  • // Discovered during a routine scoped pentest
  • // Reproducible in versions ≤ 4.2.3, fixed in 4.2.4
  • // Internal endpoints reachable, no outbound write

Reproduction

The exploit chain is three short requests. Authenticate, request a preview against an attacker-controlled hostname, and read the forwarded response from the metadata service.

POST /api/preview HTTP/1.1
Host: target.example
Cookie: session=AUDITOR_SESSION
Content-Type: application/json

{
  "url": "http://169.254.169.254/latest/meta-data/iam/security-credentials/"
}

The server resolves the hostname, then runs the allowlist check on the resolved address — but it has already issued the outbound fetch.

Mitigation

The vendor’s 4.2.4 release reorders the checks: hostname is resolved after allowlist validation, and the resolved IP is re-validated against an explicit deny-list (link-local, RFC1918, multicast).

- const ip = await resolve(url.hostname);
- if (!allowlist.includes(url.hostname)) return reject();
- const body = await fetch(url);
+ if (!allowlist.includes(url.hostname)) return reject();
+ const ip = await resolve(url.hostname);
+ if (isBlockedIp(ip)) return reject();
+ const body = await fetch(url);

Disclosure timeline

  • // 2026-04-10 — initial report sent to vendor security
  • // 2026-04-11 — vendor acknowledges
  • // 2026-05-02 — patch 4.2.4 released
  • // 2026-05-25 — public write-up
FIG 01 · Request flow before and after the 4.2.4 patch.

Acknowledgements

Coordinated disclosure with the Example Suite security team. Patch adopted by all stable channels within three weeks.