CVE-2026-7065

Name of the Vulnerable Software and Affected Versions BidingCC BuildingAI versions prior to 26.0.2

Description The Remote Upload API contains a server-side request forgery (SSRF) issue. This occurs when the uploadRemoteFile() function in the packages/core/src/modules/upload/services/file-storage.service.ts file fails to properly handle the url argument, allowing a remote attacker to initiate unauthorized requests from the server.

Recommendations Update to a version later than 26.0.1. As a temporary workaround, restrict access to the uploadRemoteFile() function until a patch is applied.