top of page
perceptive_background_267k.jpg

Vvveb prior to 1.0.8.1 contains a server-side request forgery vulnerability in the oEmbedProxy action of the editor/editor module where the url parameter is pas…

Published:

19 april 2026 om 22:00:00

Alert date:

20 april 2026 om 17:02:28

Source:

nvd.nist.gov

Click to open the original link from this advisory

Web Technologies

Vvveb prior to version 1.0.8.1 contains a server-side request forgery (SSRF) vulnerability in the oEmbedProxy action of the editor/editor module. The vulnerability occurs when the url parameter is passed directly to getUrl() via curl without proper scheme or destination validation. Authenticated backend users can exploit this by supplying file:// URLs to read arbitrary files accessible to the web server process or http:// URLs targeting internal network addresses to probe internal services. The response bodies from these requests are returned directly to the caller, making this a significant security risk for information disclosure and internal network reconnaissance.

Technical details

Mitigation steps:

Affected products:

Vvveb

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-34428
https://github.com/givanz/Vvveb/commit/2d356844f37819bf771e7cd5e12a8686975e0b2b
https://github.com/givanz/Vvveb/releases/tag/1.0.8.1
https://www.vulncheck.com/advisories/vvveb-ssrf-via-oembedproxy

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page