CVE-2026-34428
published 2026-04-20CVE-2026-34428: Vvveb prior to 1.0.8.1 contains a server-side request forgery vulnerability in the oEmbedProxy action of the editor/editor module where the url parameter is…
PriorityP348high7.7CVSS 3.1
AVNACLPRLUINSCCHINAN
EPSS
0.26%
16.9th percentile
Vvveb prior to 1.0.8.1 contains a server-side request forgery vulnerability in the oEmbedProxy action of the editor/editor module where the url parameter is passed directly to getUrl() via curl without scheme or destination validation. Authenticated backend users can supply file:// URLs to read arbitrary files readable by the web server process or http:// URLs targeting internal network addresses to probe internal services, with response bodies returned directly to the caller.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| givanz | vvveb | < 1.0.8.1 | 1.0.8.1 |
CVSS provenance
nvdv3.17.7HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
nvdv4.08.3HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
givanz Vvveb up to 1.0.8.0 file URL getUrl server-side request forgery
vuldb·2026-04-20·CVSS 8.3
CVE-2026-34428 [HIGH] givanz Vvveb up to 1.0.8.0 file URL getUrl server-side request forgery
A vulnerability was found in givanz Vvveb up to 1.0.8.0. It has been declared as critical. Impacted is the function getUrl of the component file URL Handler. The manipulation results in server-side request forgery.
This vulnerability was named CVE-2026-34428. The attack may be performed from remote. There is no available exploit.
It is recommended to upgrade the affected component.
GHSA
GHSA-fr6h-4rh3-wc9f: Vvveb prior to 1
ghsa_unreviewed·2026-04-20
CVE-2026-34428 [HIGH] CWE-918 GHSA-fr6h-4rh3-wc9f: Vvveb prior to 1
Vvveb prior to 1.0.8.1 contains a server-side request forgery vulnerability in the oEmbedProxy action of the editor/editor module where the url parameter is passed directly to getUrl() via curl without scheme or destination validation. Authenticated backend users can supply file:// URLs to read arbitrary files readable by the web server process or http:// URLs targeting internal network addresses to probe internal services, with response bodies returned directly to the caller.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-20
Published