CVE Catalog

CVE-2026-47170

HighCVSS 7.7
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.03%

9th percentile - higher than 9% of all known CVEs

Summary

Garlic-Hub, managing a digital signage network, prior to version 1.1 allowed authenticated users to send arbitrary HTTP requests to internal services via the uploadFromUrl endpoint. This enables internal port scanning, service fingerprinting, and retrieval of internal HTTP responses stored in the publicly accessible media pool.

Risk Assessment

The organization may be exposed to unauthorized access to internal services and information leakage, potentially leading to serious security breaches.

Recommendation

It is recommended to upgrade to version 1.1 or later to mitigate this vulnerability and restrict access to the uploadFromUrl endpoint.

Original NVD description (English source)

Garlic-Hub manages digital signage network — devices, content, and playlists — from a single self-hosted interface. Prior to version 1.1, authenticated users can cause the server to issue arbitrary HTTP requests to internal services via the uploadFromUrl endpoint. This allows internal port scanning, service fingerprinting, and retrieval of internal HTTP responses which are stored in the publicly accessible media pool. This issue has been patched in version 1.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS