[HIGH] URL Construction Injection - CVE-HSYNC-2026-004

## Security Vulnerability Report

**Severity**: HIGH (CVSS 7.5)
**File**: `connection.js`

### Description
Dynamic host connections construct URLs from unvalidated user input, potentially allowing URL injection and SSRF attacks.

### Vulnerable Code
```javascript
const result = await fetch.post(`${dynamicHost}/${hsyncBase}/dyn`, {});
```

### Impact
- SSRF attacks
- URL injection
- Potential access to internal services

### Recommendation
Validate and sanitize dynamicHost input before URL construction.

### References
- Found during security audit of hsync reverse proxy
- Part of comprehensive security review identifying 13 vulnerabilities

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[HIGH] URL Construction Injection - CVE-HSYNC-2026-004 #25

Security Vulnerability Report

Description

Vulnerable Code

Impact

Recommendation

References

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

[HIGH] URL Construction Injection - CVE-HSYNC-2026-004 #25

Description

Security Vulnerability Report

Description

Vulnerable Code

Impact

Recommendation

References

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions