CVE-2026-34428

Name of the Vulnerable Software and Affected Versions Vvveb versions prior to 1.0.8.1

Description An issue exists in the 'oEmbedProxy' action of the 'editor/editor' module where the url parameter is passed directly to the getUrl() function via curl without scheme or destination validation. Authenticated backend users can provide 'file://' URLs to read arbitrary files accessible by the web server process or 'http://' URLs targeting internal network addresses to probe internal services, with the response bodies returned to the caller. Server-Side Request Forgery (SSRF) is a flaw that allows an attacker to induce the server-side application to make requests to an unintended location.

Recommendations Update to version 1.0.8.1 or later. As a temporary workaround, restrict access to the 'oEmbedProxy' action in the 'editor/editor' module.