Skip to content

CVE-2026-54157

Server-Side Request Forgery (SSRF): is CVE-2026-54157real, exploitable, or a false positive? Here's the community verdict.

☆ Watch
Critical · CVSS 9CWE-918 · Server-Side Request Forgery (SSRF)

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H

LobeHub is a work-and-lifestyle space to find, build, and collaborate with agent teammates that grow with you. Prior to 2.1.57, the /webapi/proxy endpoint on app.lobehub.com accepts a URL in the POST body and fetches it server-side without any authentication. An attacker can use this to make arbitrary outbound requests from LobeHub's infrastructure, leak Vercel deployment details, and inject cookies on the lobehub.com domain through reflected Set-Cookie headers. This vulnerability is fixed in 2.1.57.

References

NVD MITRE CVE.org

Published

Embed this verdict
TruePositive verdict for CVE-2026-54157
Markdown
[![TruePositive verdict](https://www.truepositive.app/cve/CVE-2026-54157/badge.svg)](https://www.truepositive.app/cve/CVE-2026-54157)
HTML
<a href="https://www.truepositive.app/cve/CVE-2026-54157"><img src="https://www.truepositive.app/cve/CVE-2026-54157/badge.svg" alt="TruePositive verdict for CVE-2026-54157"></a>

Live badge that updates automatically as the community verdict changes.

Community ground truth

In your experience, is this finding real and exploitable?

0 verdicts
Not a real issue

No account needed. Anonymous verdicts post as an unverified signal. Log in to make yours verified and earn reputation.

Field notes & remediation

Verdicts are the quick signal. Notes are the evidence and fixes behind them.

No notes yet. Be the first to share what you saw, or a fix that worked.

    Add a field note or remediationoptional
    Note type

    What are you adding?

    Markdown supported · minimum 20 characters.

    Related CVEs

    Same weakness: CWE-918 · Server-Side Request Forgery (SSRF).