Medium
resolved
resolved
Blind POST SSRF via Web Push Notification Endpoint
Bug reported by Miso Poop was disclosed at May 30, 2026, 4:47 pm | Server-Side Request Forgery (SSRF)
A vulnerability was discovered in phpBB 4.0.0-alpha1 that allowed registered users to register arbitrary URLs as their Web Push notification endpoint. The endpoint URL was stored without validation and later used by the phpBB server to send outbound HTTP POST requests, potentially leading to blind POST server-side request forgery (SSRF) vulnerabilities.
![[Image: e72398fe92beda2aa80d0329e8b9f4febece7568.gif]](https://64.media.tumblr.com/834502d05f9b014cbc37366fe428a5a7/13cb9841c0799d7a-ff/s500x560/e72398fe92beda2aa80d0329e8b9f4febece7568.gif)
