CVE-2026-41644
EUVD-2026-2835307.05.2026, 12:16
monetr is a budgeting application for recurring expenses. Prior to version 1.12.5, a server-side request forgery (SSRF) vulnerability in monetr's Lunch Flow integration allowed any authenticated user on a self-hosted instance to cause the monetr server to issue HTTP GET requests to arbitrary URLs supplied by the caller, with the response body from non-200 upstream responses reflected back in the API error message. This issue has been patched in version 1.12.5.
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| monetr | monetr | 𝑥 < 1.12.5 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-209 - Generation of Error Message Containing Sensitive InformationThe software generates an error message that includes sensitive information about its environment, users, or associated data.
- CWE-918 - Server-Side Request Forgery (SSRF)The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.