CVE-2026-7084 | HBAI-Ltd Toonflow-app up to 1.1.1 getCodeByLink Endpoint getCodeByLink.ts fetch server-side request forgery (Issue 95)

A vulnerability described as critical has been identified in HBAI-Ltd Toonflow-app up to 1.1.1. This affects the function fetch of the file src/routes/setting/vendorConfig/getCodeByLink.ts of the component getCodeByLink Endpoint. The manipulation of the argument Link results in server-side request forgery.

This vulnerability was named CVE-2026-7084. The attack may be performed from remote. In addition, an exploit is available.

There is ongoing doubt regarding the real existence of this vulnerability.

The vendor explains in a reply to the issue report, that “[t]he /getCodeByLink interface is used to obtain TS code and run it locally. It is inherently a high-risk interface, and users must clearly understand the risks before requesting to use it.”VulDB Recent EntriesRead More