WebWasher Classic 2.2.1 and 3.3, when running in server mode, does not properly drop CONNECT requests to the localhost from external systems, which could allow remote attackers to bypass intended access restrictions.
From 神龙GPT (AIGC)
Web Washer Classic 2.2.1 和 3.3 在工作在服务器模式下时,未能正确丢弃来自外部系统的连接请求到本地主机,这可能导致远程攻击者绕过预期访问限制。