Description
Vvveb prior to 1.0.8.1 contains a server-side request forgery vulnerability in the oEmbedProxy action of the editor/editor module where the url parameter is passed directly to getUrl() via curl without scheme or destination validation. Authenticated backend users can supply file:// URLs to read arbitrary files readable by the web server process or http:// URLs targeting internal network addresses to probe internal services, with response bodies returned directly to the caller.
Published: 2026-04-20
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Server-Side Request Forgery
Action: Apply Patch
AI Analysis

Impact

Vvveb versions earlier than 1.0.8.1 contain a server-side request forgery in the editor/editor module when a backend authenticated user supplies an arbitrary URL to the oEmbedProxy action. The supplied URL is passed unvalidated to a curl call, allowing web-server readable files to be read via file:// URLs or internal HTTP requests to probe the internal network. The vulnerability can leak sensitive files or network information, exposing confidential data but not enabling direct code execution. It is identified as CWE-918.

Affected Systems

This flaw affects the Vvveb web-content management system from givanz. Versions prior to 1.0.8.1 are vulnerable; later releases contain the fix.

Risk and Exploitability

The CVSS score of 8.3 marks the issue as high severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. Attack requires authenticated backend access; therefore external attackers would need to compromise valid credentials. Once exploited, an attacker could read arbitrary files or enumerate internal services, giving significant confidentiality damage.

Generated by OpenCVE AI on April 20, 2026 at 15:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Vvveb to version 1.0.8.1 or later as released by givanz.
  • Restrict editor/backend access to a trusted internal network and enforce strong authentication to reduce the opportunity set.
  • Disable or remove the oEmbedProxy functionality if it is not required for the installation, thereby eliminating the entry point for the request forgery.

Generated by OpenCVE AI on April 20, 2026 at 15:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Givanz
Givanz vvveb
Vendors & Products Givanz
Givanz vvveb

Mon, 20 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description Vvveb prior to 1.0.8.1 contains a server-side request forgery vulnerability in the oEmbedProxy action of the editor/editor module where the url parameter is passed directly to getUrl() via curl without scheme or destination validation. Authenticated backend users can supply file:// URLs to read arbitrary files readable by the web server process or http:// URLs targeting internal network addresses to probe internal services, with response bodies returned directly to the caller.
Title Vvveb < 1.0.8.1 SSRF via oEmbedProxy
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N'}

Subscriptions

Givanz Vvveb
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-20T14:49:33.646Z

Reserved: 2026-03-27T15:24:06.752Z

Link: CVE-2026-34428

cve-icon Vulnrichment

Updated: 2026-04-20T14:49:28.127Z

cve-icon NVD

Status : Deferred

Published: 2026-04-20T16:16:44.473

Modified: 2026-04-20T18:54:59.077

Link: CVE-2026-34428

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T16:00:10Z

Weaknesses