Server-Side Request Forgery in hcengineering Huly Platform
CVE-2026-5623

5.3MEDIUM

Key Information:

Vendor

Hcengineering

Status
Huly Platform
Vendor
CVE Published:
6 April 2026

What is CVE-2026-5623?

A server-side request forgery vulnerability exists in the hcengineering Huly Platform version 0.7.382, specifically affecting the Import Endpoint component located in the file server/front/src/index.ts. This vulnerability allows attackers to manipulate requests sent from the server to internal or external resources, creating a remote exploit opportunity. Despite early notifications, the vendor has not addressed this issue, leading to potential widespread exploitation as public exploit code is available.

Affected Version(s)

Huly Platform 0.7.382

References

https://vuldb.com/vuln/355413
vdb-entry
https://vuldb.com/vuln/355413/cti
signaturepermissions-required
https://vuldb.com/submit/785632
third-party-advisory

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Ghufran Khan (VulDB User)
VulDB CNA Team
.