CVE-2023-46945 -- CVSS 9.1 Vulnerability Briefing

CVE-2023-46945 | CVSS 9.1 (Critical) | Exploit: No known exploit

What Is It

CVE-2023-46945 is a Server-Side Request Forgery (SSRF) vulnerability affecting Qd-Today's Qd application, specifically the build versioned 20230821, which allows an attacker to manipulate the server into making unauthorized outbound requests.

Technical Detail

The flaw exists in the Qd application's handling of user-supplied input within crafted HTTP requests, where insufficient validation allows an attacker to specify arbitrary internal or external URLs that the server will then fetch on the attacker's behalf. Successful exploitation can enable an attacker to probe internal network resources, bypass perimeter controls, access metadata services in cloud environments, or pivot toward internal systems that are otherwise unreachable from the public internet. In environments where the application has elevated network access, SSRF can serve as a precursor to further compromise including credential theft from cloud instance metadata endpoints.

Exploitation Status

No known exploit code has been publicly identified for this vulnerability at this time. It is not listed in CISA's Known Exploited Vulnerabilities catalog. There is no confirmed evidence of active exploitation in the wild as of April 15, 2026, though the absence of a known exploit does not preclude private or undisclosed exploitation activity.

Who Is Targeting This

No specific threat actor attribution has been confirmed for this vulnerability at this time. No campaigns, targeted sectors, or adversary groups have been associated with CVE-2023-46945 in available threat intelligence.

What To Do

Organizations running Qd build 20230821 should apply any available vendor patches from Qd-Today immediately given the critical CVSS score of 9.1. If a patch is not yet available or cannot be applied promptly, administrators should restrict outbound network access from the Qd application server using egress filtering to limit the scope of potential SSRF abuse, and block access to internal metadata endpoints such as 169.254.169.254 at the network layer. Input validation controls should be reviewed and enforced at the application level to reject or sanitize URL parameters. Monitor application logs for anomalous outbound connection attempts originating from the Qd service as a detection signal for potential exploitation attempts.