CVE-2023-46945
Published: 08 April 2026
Summary
CVE-2023-46945 is a critical-severity SSRF (CWE-918) vulnerability in Qd-Today Qd. Its CVSS base score is 9.1 (Critical).
Operationally, ranked at the 12.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-7 (Boundary Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Validates crafted requests to prevent attackers from manipulating the server into initiating unintended connections via SSRF.
Monitors and controls communications at system boundaries to block unauthorized outbound requests forged by SSRF exploitation.
Enforces information flow control policies to restrict server access to internal resources that SSRF attempts to reach.
NVD Description
QD 20230821 is vulnerable to Server-side request forgery (SSRF) via a crafted request
Deeper analysisAI
CVE-2023-46945 is a server-side request forgery (SSRF) vulnerability, classified under CWE-918, affecting QD version 20230821. The issue arises from a crafted request that enables attackers to manipulate the server into initiating unintended connections, earning a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N). It was published on 2026-04-08T17:17:01.010.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By sending a specially crafted request to an affected QD instance, they can achieve high impacts on confidentiality and integrity, such as forcing the server to access internal resources or services that would otherwise be inaccessible from external networks.
Mitigation details are available in the referenced advisories, including a GitHub Gist at https://gist.github.com/kurokoleung/5b36b2013a54adadcce79967d3e4f056 and the QD project page at https://qd-today.github.io/qd/.
Details
- CWE(s)