Critical
resolved
resolved
[my.stripo.email] Blind SSRF Vulnerability in Stripo App Export via Missing Endpoints Export Email Message to Zapier
Bug reported by ꦄꦤ꧀ꦢꦿꦶ was disclosed at December 1, 2025, 8:22 am | Server-Side Request Forgery (SSRF)
A critical Blind SSRF (Server-Side Request Forgery) vulnerability was identified in the export service of the Stripo app. The vulnerability existed in the endpoint `/exportservice/v3/exports/WEBHOOK/accounts`, where malicious input could be provided in the `webhookUrl` parameter, triggering SSRF and allowing the server to make unauthorized HTTP requests to attacker-controlled systems.
![[Image: e72398fe92beda2aa80d0329e8b9f4febece7568.gif]](https://64.media.tumblr.com/834502d05f9b014cbc37366fe428a5a7/13cb9841c0799d7a-ff/s500x560/e72398fe92beda2aa80d0329e8b9f4febece7568.gif)
