Medium severity4.3NVD Advisory· Published Apr 3, 2026· Updated Apr 13, 2026

CVE-2026-22662

Description

prompts.chat prior to commit 1464475 contains a blind server-side request forgery vulnerability in the Wiro media generator that allows authenticated users to perform server-side fetches of user-controlled inputImageUrl parameters. Attackers can exploit this vulnerability by sending POST requests to the /api/media-generate endpoint to probe internal networks, access internal services, and exfiltrate data through the upstream Wiro service without receiving direct response bodies.

Affected products

Fka/Prompts.chat
cpe:2.3:a:fka:prompts.chat:*:*:*:*:*:*:*:*
Range: <2026-03-24

Patches

1464475df269

https://github.com/f/prompts.chatvia nvd-ref

commit

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/f/prompts.chat/commit/1464475df2698fb7ccd0cdbc382b0750466f891dnvdPatch
github.com/f/prompts.chat/pull/1102nvdIssue TrackingMitigationVendor Advisory
www.vulncheck.com/advisories/prompts-chat-blind-ssrf-via-media-generatenvdThird Party Advisory

News mentions

No linked articles in our index yet.

cvss	0.280
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000