CVE Catalog

CVE-2026-47260

HighCVSS 7.7
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.35%

27th percentile - higher than 27% of all known CVEs

Summary

Koel is a free, open-source music streaming solution. In versions prior to 9.3.5, Koel did not properly validate podcast episode URLs, allowing for SSRF attacks against internal services.

Risk Assessment

The organization may be exposed to SSRF attacks that could lead to unauthorized access to internal resources and data.

Recommendation

It is recommended to upgrade to version 9.3.5 or later to mitigate this vulnerability.

Original NVD description (English source)

Koel is a free, open-source music streaming solution. Prior to version 9.3.5, Koel validates the podcast feed URL via the SafeUrl rule (DNS resolution + public IP check), but the individual episode <enclosure url="..."> values extracted from the RSS XML are stored directly into the database without any SSRF validation. When a user plays an episode, the server downloads the full HTTP response from the unvalidated enclosure URL via Http::sink()->get() and streams it back to the user, enabling full-read SSRF against internal services. This issue has been patched in version 9.3.5.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS