Description
A security vulnerability has been detected in cskefu up to 8.0.1. This issue affects some unknown processing of the file com/cskefu/cc/controller/resource/MediaController.java of the component Endpoint. The manipulation of the argument url leads to server-side request forgery. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-02-16
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server-side request forgery
Action: Patch
AI Analysis

Impact

The flaw exists in cskefu versions up to 8.0.1 in the MediaController.java component, where an attacker can manipulate the url parameter to force the server to issue requests to arbitrary locations, enabling potential internal network reconnaissance or exploitation. The vulnerability is a Server‑Side Request Forgery (CWE‑918) that may allow an attacker to access sensitive resources, exfiltrate data, or misconfigure services, impacting confidentiality, integrity, or availability of systems that the application connects to.

Affected Systems

The affected product is cskefu, specifically any deployment of the cskefu platform up to and including version 8.0.1. No other product variants or higher versions are listed as vulnerable.

Risk and Exploitability

The CVSS v3.1 score is 5.3, indicating a moderate risk, and the EPSS score is less than 1 %, suggesting a very low but non‑zero likelihood of exploitation. The vulnerability can be triggered remotely without authentication, and no official patch has yet been released by the vendor, though the exploitation code is publicly available. The security event is not listed in the CISA KEV catalog, so it is currently considered a lower priority relative to known exploited vulnerabilities.

Generated by OpenCVE AI on April 17, 2026 at 19:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade cskefu to the latest available version that includes the SSRF fix; if a patch version 8.0.2 or newer exists, deploy it immediately.
  • If an upgrade is not feasible, restrict outbound network traffic from the cskefu service to only essential destinations, effectively blocking the path an attacker would use to reach internal or external systems.
  • Disable or remove the MediaController endpoint or implement strict input validation that limits the url parameter to a whitelist of trusted domains.
  • Consider adding firewall or reverse‑proxy rules that prevent the application from resolving internal hostnames or making requests to localhost/127.0.0.1.

Generated by OpenCVE AI on April 17, 2026 at 19:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:cskefu:cskefu:*:*:*:*:*:*:*:*

Tue, 17 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 17 Feb 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Cskefu
Cskefu cskefu
Vendors & Products Cskefu
Cskefu cskefu

Mon, 16 Feb 2026 13:00:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in cskefu up to 8.0.1. This issue affects some unknown processing of the file com/cskefu/cc/controller/resource/MediaController.java of the component Endpoint. The manipulation of the argument url leads to server-side request forgery. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title cskefu Endpoint MediaController.java server-side request forgery
Weaknesses CWE-918
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Cskefu Cskefu
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T10:10:03.992Z

Reserved: 2026-02-15T17:43:58.520Z

Link: CVE-2026-2556

cve-icon Vulnrichment

Updated: 2026-02-17T15:55:05.710Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-16T13:16:00.940

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-2556

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T19:15:26Z

Weaknesses