CVE-2026-47684
HighCVSS 7.7Summary
Sync-in Server is a secure, open-source platform for file storage, sharing, collaboration, and syncing. In versions prior to 2.3.0, the regex used in the URL download feature for blocking private IP addresses does not match IPv4-mapped IPv6 addresses, allowing SSRF protection to be bypassed on dual-stack systems.
Risk Assessment
Organizations may be vulnerable to SSRF attacks, which could lead to unauthorized access to internal network resources. This could result in the exposure of sensitive data or other serious security incidents.
Recommendation
It is recommended to upgrade to version 2.3.0 or later to mitigate this vulnerability. Additionally, conducting a security audit to identify potential SSRF-related risks is advisable.
Original NVD description (English source)
Sync-in Server is a secure, open-source platform for file storage, sharing, collaboration, and syncing. Prior to version 2.3.0, the private IP blocklist regex used in the URL download feature does not match IPv4-mapped IPv6 addresses (e.g. ::ffff:127.0.0.1), allowing SSRF protection to be bypassed on dual-stack systems. Version 2.3.0 fixes the issue.

