ZimaOS, a fork of CasaOS operating system for Zima devices and x86-64 systems, contains a server-side request forgery (SSRF) vulnerability in version 1.5.0 and prior. The vulnerability stems from insufficient validation of target URLs, allowing authenticated local users to craft malicious requests targeting internal IP addresses including localhost and private network ranges. This enables attackers to interact with internal HTTP/HTTPS services that should not be accessible externally or to local users. The vulnerability poses significant security risks as it can lead to unauthorized access to internal services and potential lateral movement within the network. Currently, no patch is publicly available for this vulnerability.