[my.stripo.email] Blind SSRF Vulnerability in Stripo App Export via Missing Endpoints Export Email Message to Zapier

Bug reported by ꦄꦤ꧀ꦢꦿꦶ was disclosed at December 1, 2025, 8:22 am   |   Server-Side Request Forgery (SSRF)

A critical Blind SSRF (Server-Side Request Forgery) vulnerability was identified in the export service of the Stripo app. The vulnerability existed in the endpoint `/exportservice/v3/exports/WEBHOOK/accounts`, where malicious input could be provided in the `webhookUrl` parameter, triggering SSRF and allowing the server to make unauthorized HTTP requests to attacker-controlled systems.