What is CVE-2026-30832?

CVE-2026-30832 is a critical-severity vulnerability in Charmbracelet Soft-serve, classified under Server-Side Request Forgery (SSRF). CVSS score: 9.1/10. Published 2026-03-07.

How severe is CVE-2026-30832?

Critical severity. CVSS v3 base score is 9.1 out of 10.

SSRF in Charmbracelet Soft-serve

CVE-2026-30832

Soft Serve is a self-hostable Git server for the command line. From version 0.6.0 to before version 0.11.4, an authenticated SSH user can force the server to make HTTP requests to internal/private IP addresses by running repo import with a…

Vulnerability class: SSRF (Server-Side Request Forgery)

EPSS: 0.000 (7.1th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.1 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L.

Affected products

Charmbracelet Soft-serve — versions >= 0.6.0, < 0.11.4

Weakness classification (CWE)

CWE-918 — Server-Side Request Forgery (SSRF)

References

https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-3fvx-xrxq-8jvv (x_refsource_CONFIRM)
https://github.com/charmbracelet/soft-serve/commit/3ef660098ab37a7950457da8ecc25b516e37ce4e (x_refsource_MISC)
https://github.com/charmbracelet/soft-serve/releases/tag/v0.11.4 (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-30832?: CVE-2026-30832 is a critical-severity vulnerability in Charmbracelet Soft-serve, classified under Server-Side Request Forgery (SSRF). CVSS score: 9.1/10. Published 2026-03-07.
How severe is CVE-2026-30832?: Critical severity. CVSS v3 base score is 9.1 out of 10.