CVE Catalog

CVE-2026-47684

HighCVSS 7.7
Published: Updated: Translated: NVD NIST

Summary

Sync-in Server is a secure, open-source platform for file storage, sharing, collaboration, and syncing. In versions prior to 2.3.0, the regex used in the URL download feature for blocking private IP addresses does not match IPv4-mapped IPv6 addresses, allowing SSRF protection to be bypassed on dual-stack systems.

Risk Assessment

Organizations may be vulnerable to SSRF attacks, which could lead to unauthorized access to internal network resources. This could result in the exposure of sensitive data or other serious security incidents.

Recommendation

It is recommended to upgrade to version 2.3.0 or later to mitigate this vulnerability. Additionally, conducting a security audit to identify potential SSRF-related risks is advisable.

Original NVD description (English source)

Sync-in Server is a secure, open-source platform for file storage, sharing, collaboration, and syncing. Prior to version 2.3.0, the private IP blocklist regex used in the URL download feature does not match IPv4-mapped IPv6 addresses (e.g. ::ffff:127.0.0.1), allowing SSRF protection to be bypassed on dual-stack systems. Version 2.3.0 fixes the issue.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS