Primary

Context

Vvveb Server-Side Request Forgery Vulnerability in oEmbedProxy Action

Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in Vvveb versions prior to 1.0.8.1. The issue arises in the oEmbedProxy action of the editor module, where the url parameter is sent directly to the getUrl() function via cURL, lacking proper validation of the scheme or destination. This vulnerability allows authenticated backend users to provide file:// URLs to access arbitrary files that the web server can read, or http:// URLs that target internal network addresses to probe local services, with the response bodies returned directly to the requester.

Impact

Exploitation of this vulnerability allows for server-side request forgery, enabling authenticated users to read arbitrary files from the server or probe internal services.

Remediation

Users can update to Vvveb version 1.0.8.1 or later, where this vulnerability has been fixed.

Added: Apr 20, 2026, 4:40 PM

Updated: Apr 20, 2026, 4:40 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.9

remediation

0.0

relevance

6.3

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.9

remediation

0.0

relevance

6.3

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vvveb Server-Side Request Forgery Vulnerability in oEmbedProxy Action

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating