diff --git a/src/webhook_manager.py b/src/webhook_manager.py
index dbcaeef..5e56032 100644
--- a/src/webhook_manager.py
+++ b/src/webhook_manager.py
@@ -38,6 +38,20 @@ _PRIVATE_NETWORKS = [
 
 
 def _ip_is_private(addr: ipaddress._BaseAddress) -> bool:
+    # If the address is IPv4-mapped IPv6, extract and evaluate the embedded IPv4
+    if isinstance(addr, ipaddress.IPv6Address) and addr.ipv4_mapped is not None:
+        addr = addr.ipv4_mapped
+
+    if (
+        addr.is_private
+        or addr.is_loopback
+        or addr.is_link_local
+        or addr.is_reserved
+        or addr.is_multicast
+        or addr.is_unspecified
+    ):
+        return True
+
     return any(addr in net for net in _PRIVATE_NETWORKS)
 
 
diff --git a/tests/test_webhook_ssrf_resilience.py b/tests/test_webhook_ssrf_resilience.py
new file mode 100644
index 0000000..8557b78
--- /dev/null
+++ b/tests/test_webhook_ssrf_resilience.py
@@ -0,0 +1,28 @@
+import sys
+# conftest.py stubs src.database with a fake module; webhook_manager imports
+# from it, so drop the stub here to load the real module under test.
+if "src.database" in sys.modules:
+    del sys.modules["src.database"]
+
+import pytest
+from src.webhook_manager import validate_webhook_url
+
+
+def test_webhook_url_ssrf_mitigation():
+    # SSRF bypasses that must be rejected, including IPv6 unspecified and
+    # IPv4-mapped IPv6 (loopback + cloud metadata).
+    private_urls = [
+        "http://[::]/",
+        "http://[::ffff:127.0.0.1]/",
+        "http://[::ffff:169.254.169.254]/",
+        "http://127.0.0.1/",
+        "http://0.0.0.0/",
+    ]
+    for url in private_urls:
+        with pytest.raises(ValueError) as exc:
+            validate_webhook_url(url)
+        assert "private/internal addresses" in str(exc.value)
+
+    # A clearly public IP literal must still be accepted.
+    public_url = "http://93.184.216.34/"
+    assert validate_webhook_url(public_url) == public_url