CVE-2026-47260
🟡 Monitoruj
Brak walidacji URL-i w Koel pozwala na atak SSRF, co umożliwia dostęp do wewnętrznych usług.
CVSS
7.7
EPSS
0.4%
Exploit
none
Vendor
Opis źródłowy (NVD)
Koel is a free, open-source music streaming solution. Prior to version 9.3.5, Koel validates the podcast feed URL via the SafeUrl rule (DNS resolution + public IP check), but the individual episode <enclosure url="..."> values extracted from the RSS XML are stored directly into the database without any SSRF validation. When a user plays an episode, the server downloads the full HTTP response from the unvalidated enclosure URL via Http::sink()->get() and streams it back to the user, enabling full-read SSRF against internal services. This issue has been patched in version 9.3.5.
ssrf
Brak patcha
Źródła i daty
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 7.7 |
| CISA KEV (aktywnie wykorzystywane) | Nie |
| FIRST EPSS (prawdopodobieństwo exploita) | 0.4% |
| Opublikowano (NVD) | 2026-06-12 20:16:46 UTC |
| Ostatnia modyfikacja (NVD) | 2026-06-15 21:08:33 UTC |
Referencje
- https://github.com/koel/koel/commit/8708f077efd7d8a332b32e954d65bc837f3a413a (security-advisories@github.com)
- https://github.com/koel/koel/security/advisories/GHSA-7j2f-6h2r-6cqc (security-advisories@github.com)