CVE-2026-30832
CRIT 9.1Soft Serve is a self-hostable Git server for the command line. From version 0.6.0 to before version 0.11.4, an authenticated SSH user can force the server to make HTTP requests to internal/private IP addresses by running repo import with a crafted --lfs-endpoint URL. The initial batch request is blind (the response from a metadata endpoint won't parse as valid LFS JSON), but an attacker hosting a fake LFS server can chain this into full read access to internal services by returning download URLs that point at internal targets. This issue has been patched in version 0.11.4.
Affected Applications in Environment
19
PyCharm
v2023.2.0.PY-232.8660.197
29 devices
PyCharm
v252.23892.515.0-PY
26 devices
PyCharm
v252.27397.106.0-PY
4 devices
PyCharm
v2022.2.3 (PC-222.4345.23)
1 device
PyCharm
v253.29346.308.0-PY
2 devices
PyCharm
v2019.2.3.PY-192.6817.19
1 device
PyCharm
v252.26830.99.0-PY
5 devices
PyCharm
v251.26094.141.0-PY
1 device
PyCharm
v2023.1.2.PC-231.9011.38
2 devices
PyCharm
v252.25557.178.0-PY
1 device
PyCharm
v253.31033.139.0-PY
3 devices
PyCharm
v2024.3.1.1 (PC-243.22562.220)
1 device
PyCharm
v252.23892.439.0-PY
1 device
PyCharm
v253.29346.142.0-PY
2 devices
PyCharm
v2024.3.4 (PC-243.25659.43)
1 device
PyCharm
v253.30387.173.0-PY
1 device
PyCharm
v253.32098.74.0-PY
1 device
PyCharm
v252.28539.27.0-PY
1 device
PyCharm
v2022.3.1.PC-223.8214.51
1 device
Affected Devices
80
A02431789-Y45D2V9TXH
Mac
BELMONT-GRAD-75
Windows
CS-LAB11
Windows
CS-LAB12
Windows
CS-LAB13
Windows
DESKTOP-19H8RLU
Windows
DESKTOP-FA7AMSL
Windows
DESKTOP-UDQ5LTQ
Windows
DESKTOP-UVH1MF1
Windows
DPCOMP-05143MP
Windows
DPEMAE-7242KJQ
Windows
DPEMAE-A7242KK9
Windows
DPLAEP-PF5S8FRS
Windows
DPLIBR-JKQ4284
Windows
DPUWRL-PF5K758F
Windows
DPUWRL-PF5NV3P2
Windows
DPUWRL-R9116DTX
Windows
DigitalStudent-154737.local
Mac
EDL-12
Windows
EDL-17
Windows
EDL-28
Windows
EDL-34
Windows
EL105-01
Windows
EL105-02
Windows
EL105-03
Windows
EL105-04
Windows
EL105-05
Windows
EL105-07
Windows
EL105-08
Windows
EL105-09
Windows
EL105-10
Windows
EL105-11
Windows
EL105-12
Windows
EL105-13
Windows
EL105-14
Windows
EL105-15
Windows
EL105-16
Windows
EL105-17
Windows
EL105-18
Windows
EL105-19
Windows
EL105-20
Windows
EL105-21
Windows
EL105-22
Windows
EL105-23
Windows
EL105-24
Windows
EL105-25
Windows
EL105-26
Windows
EL105-27
Windows
EL105-28
Windows
EL105-29
Windows
EL105-30
Windows
ENGR30102
Windows
ENGR30105
Windows
ENGR30108
Windows
ENGR30114
Windows
ENGR30119
Windows
ENGR30120
Windows
ENGR30131
Windows
ENGR30132
Windows
ENGR30137
Windows
ENGR30144
Windows
ENGR30302
Windows
ENGR30303
Windows
ENGR30307
Windows
ENGR30322
Windows
ENGR30324
Windows
ENGR30327
Windows
ENGR30328
Windows
ENGR30336
Windows
ENGR30730
Windows
ENGR30735
Windows
ENGR30736
Windows
ENGR30752
Windows
Kotaro
Mac
TULLIS-5
Windows
USULOAN238
Windows
USULOAN282
Windows
USULOAN289
Windows
USULOAN335
Windows
USULOAN487
Windows