A flaw has been found in perfree go-fastdfs-web up to 1.3.7. Affected is the function checkServer of the file /install/checkServer of the component Installation Endpoint. Executing a manipulation can lead to server-side request forgery. The attack can be executed remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
PUBLISHED5.2ApplicationCWE-918
perfree go-fastdfs-web Installation Endpoint checkServer server-side request forgery
Problem type
Affected products
perfree
go-fastdfs-web
1.3.0 - AFFECTED
1.3.1 - AFFECTED
1.3.2 - AFFECTED
1.3.3 - AFFECTED
1.3.4 - AFFECTED
1.3.5 - AFFECTED
1.3.6 - AFFECTED
1.3.7 - AFFECTED
References
VDB-369017 | perfree go-fastdfs-web Installation Endpoint checkServer server-side request forgery
https://vuldb.com/vuln/369017
VDB-369017 | CTI Indicators (IOB, IOC, IOA)
https://vuldb.com/vuln/369017/cti
CVE-2026-11437 | CVE Analysis and Report
https://vuldb.com/cve/CVE-2026-11437
Submit #822726 | perfree go-fastdfs-web ≤1.3.7 Server-Side Request Forgery
https://vuldb.com/submit/822726
notion.so
https://www.notion.so/Server-Side-Request-Forgery-SSRF-in-go-fastdfs-web-Installation-Endpoint-35aea92a3c41806485ffeeac7e18126a
GitHub Security Advisories
GHSA-6g49-gvr8-2cj2
A flaw has been found in perfree go-fastdfs-web up to 1.3.7. Affected is the function checkServer...
https://github.com/advisories/GHSA-6g49-gvr8-2cj2A flaw has been found in perfree go-fastdfs-web up to 1.3.7. Affected is the function checkServer of the file /install/checkServer of the component Installation Endpoint. Executing a manipulation can lead to server-side request forgery. The attack can be executed remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
nvd.nist.gov
https://nvd.nist.gov/vuln/detail/CVE-2026-11437
vuldb.com
https://vuldb.com/cve/CVE-2026-11437
vuldb.com
https://vuldb.com/submit/822726
vuldb.com
https://vuldb.com/vuln/369017
vuldb.com
https://vuldb.com/vuln/369017/cti
notion.so
https://www.notion.so/Server-Side-Request-Forgery-SSRF-in-go-fastdfs-web-Installation-Endpoint-35aea92a3c41806485ffeeac7e18126a
github.com
https://github.com/advisories/GHSA-6g49-gvr8-2cj2
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-11437Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-11437",
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"dateUpdated": "2026-06-06T16:30:12.201Z",
"dateReserved": "2026-06-05T22:12:51.217Z",
"datePublished": "2026-06-06T16:30:12.201Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB",
"dateUpdated": "2026-06-06T16:30:12.201Z"
},
"title": "perfree go-fastdfs-web Installation Endpoint checkServer server-side request forgery",
"descriptions": [
{
"lang": "en",
"value": "A flaw has been found in perfree go-fastdfs-web up to 1.3.7. Affected is the function checkServer of the file /install/checkServer of the component Installation Endpoint. Executing a manipulation can lead to server-side request forgery. The attack can be executed remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"affected": [
{
"vendor": "perfree",
"product": "go-fastdfs-web",
"cpes": [
"cpe:2.3:a:perfree:go-fastdfs-web:*:*:*:*:*:*:*:*"
],
"modules": [
"Installation Endpoint"
],
"versions": [
{
"version": "1.3.0",
"status": "affected"
},
{
"version": "1.3.1",
"status": "affected"
},
{
"version": "1.3.2",
"status": "affected"
},
{
"version": "1.3.3",
"status": "affected"
},
{
"version": "1.3.4",
"status": "affected"
},
{
"version": "1.3.5",
"status": "affected"
},
{
"version": "1.3.6",
"status": "affected"
},
{
"version": "1.3.7",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "Server-Side Request Forgery",
"cweId": "CWE-918",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://vuldb.com/vuln/369017",
"name": "VDB-369017 | perfree go-fastdfs-web Installation Endpoint checkServer server-side request forgery",
"tags": [
"vdb-entry",
"technical-description"
]
},
{
"url": "https://vuldb.com/vuln/369017/cti",
"name": "VDB-369017 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
]
},
{
"url": "https://vuldb.com/cve/CVE-2026-11437",
"name": "CVE-2026-11437 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
]
},
{
"url": "https://vuldb.com/submit/822726",
"name": "Submit #822726 | perfree go-fastdfs-web ≤1.3.7 Server-Side Request Forgery",
"tags": [
"third-party-advisory"
]
},
{
"url": "https://www.notion.so/Server-Side-Request-Forgery-SSRF-in-go-fastdfs-web-Installation-Endpoint-35aea92a3c41806485ffeeac7e18126a",
"tags": [
"exploit"
]
}
],
"metrics": [
{},
{
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"baseScore": 7.3,
"baseSeverity": "HIGH"
}
},
{
"cvssV3_0": {
"version": "3.0",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"baseScore": 7.3,
"baseSeverity": "HIGH"
}
},
{
"cvssV2_0": {
"version": "2.0",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"baseScore": 7.5
}
}
],
"timeline": [
{
"time": "2026-06-05T02:00:00.000Z",
"lang": "en",
"value": "VulDB entry created"
},
{
"time": "2026-06-06T00:00:00.000Z",
"lang": "en",
"value": "Advisory disclosed"
},
{
"time": "2026-06-06T00:17:55.000Z",
"lang": "en",
"value": "VulDB entry last update"
}
],
"credits": [
{
"lang": "en",
"value": "din4 (VulDB User)",
"type": "reporter"
},
{
"lang": "en",
"value": "VulDB CNA Team",
"type": "coordinator"
}
]
}
}
}