High severity7.7GHSA Advisory· Published Jun 12, 2026· Updated Jun 15, 2026
CVE-2026-47260
CVE-2026-47260
Description
Koel is a free, open-source music streaming solution. Prior to version 9.3.5, Koel validates the podcast feed URL via the SafeUrl rule (DNS resolution + public IP check), but the individual episode values extracted from the RSS XML are stored directly into the database without any SSRF validation. When a user plays an episode, the server downloads the full HTTP response from the unvalidated enclosure URL via Http::sink()->get() and streams it back to the user, enabling full-read SSRF against internal services. This issue has been patched in version 9.3.5.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
phanan/koelPackagist | < 9.3.5 | 9.3.5 |
Affected products
2Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-7j2f-6h2r-6cqcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-47260ghsaADVISORY
- github.com/koel/koel/commit/8708f077efd7d8a332b32e954d65bc837f3a413anvdWEB
- github.com/koel/koel/commit/be1e867982dcadefd4a75d768ce950b1d5234cdfghsaWEB
- github.com/koel/koel/security/advisories/GHSA-7j2f-6h2r-6cqcnvdWEB
News mentions
0No linked articles in our index yet.