EXECUTIVE SUMMARY:
[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
[emaillocker id="1283"]
CVE-2026-47695 with a CVSS score of 7.1 is a server-side request forgery (SSRF) vulnerability affecting the CC-Tweaked core library in all versions. The flaw arises because the HTTP APIs address filter relies on Javas InetAddress classification, which does not recognize IPv6 NAT64 addresses as private, allowing an attacker who can execute Lua code on a CC-Tweaked computer to craft a NAT64-formatted network request that the filter mistakenly permits. Exploitation requires three conditions: the server must have an IPv6 address, the surrounding network must provide a NAT64 gateway, and the routing table must contain the 64:ff9b::/96 → NAT gateway entrya configuration common on AWS, GCP, and other cloud providers using IPv6-only subnets. Once the bypass is achieved, the attacker can send arbitrary HTTP requests to any internal IPv4 service that the filter is intended to block, gaining the ability to probe, exfiltrate, or manipulate internal APIs, databases, or management consoles. This can lead to data leakage, unauthorized internal service access, and lateral movement within the cloud VPC, severely impacting confidentiality and operational integrity.
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-5jh9-2h63-pw4q
[/emaillocker]