Packagist (Composer) package
phanan/koel
pkg:composer/phanan/koel
Vulnerabilities (2)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-47260 | hig | — | < 9.3.5 | 9.3.5 | May 29, 2026 | ## Summary Koel validates the podcast feed URL via the `SafeUrl` rule (DNS resolution + public IP check), but the individual episode `` values extracted from the RSS XML are stored directly into the database without any SSRF validation. When a user plays an | |
| CVE-2021-33563 | — | < 5.1.4 | 5.1.4 | May 24, 2021 | Koel before 5.1.4 lacks login throttling, lacks a password strength policy, and shows whether a failed login attempt had a valid username. This might make brute-force attacks easier. |
- affected < 9.3.5fixed 9.3.5
## Summary Koel validates the podcast feed URL via the `SafeUrl` rule (DNS resolution + public IP check), but the individual episode `` values extracted from the RSS XML are stored directly into the database without any SSRF validation. When a user plays an
- CVE-2021-33563May 24, 2021affected < 5.1.4fixed 5.1.4
Koel before 5.1.4 lacks login throttling, lacks a password strength policy, and shows whether a failed login attempt had a valid username. This might make brute-force attacks easier.