A vulnerability has been found in BidingCC BuildingAI up to 26.0.1. Impacted is the function uploadRemoteFile of the file packages/core/src/modules/upload/servi…

A server-side request forgery (SSRF) vulnerability has been discovered in BidingCC BuildingAI up to version 26.0.1. The vulnerability affects the uploadRemoteFile function in the Remote Upload API component, specifically in the file-storage.service.ts file. The flaw can be exploited remotely by manipulating the url argument. A public exploit has been disclosed and the vulnerability has been reported to the project maintainers, but no response has been received yet. This allows attackers to potentially access internal resources or perform unauthorized network requests through the vulnerable application.