Description
An authenticated Server-Side Request Forgery (SSRF) in the custom scraper subsystem component of Benjamin Jonard Koillection v1.8.0 allows attackers to scan internal resources via supplying a crafted URL.
Published: 2026-06-15
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authenticated Server‑Side Request Forgery (CWE‑918) exists in the custom scraper subsystem of Benjamin Jonard Koillection v1.8.0. By supplying a crafted URL, an attacker with valid credentials can force the server to send requests to arbitrary internal resources, potentially exposing sensitive data or providing a foothold for further attacks. The flaw allows external control over outbound requests, compromising confidentiality and integrity of internal services. The vulnerability requires authentication, so the attacker must first compromise or use a legitimate user account to trigger the SSRF. Once authenticated, the attacker can target any reachable service within the internal network as long as the server has connectivity. This flaw is a classic example of Server‑Side Request Forgery, where the server unintentionally becomes a proxy for arbitrary external or internal requests, giving the attacker indirect access to otherwise unreachable resources.

Affected Systems

The affected product is Benjamin Jonard Koillection version 1.8.0. No other vendors or products are listed in the current CVE entry.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity for authenticated attacks, while the EPSS score of less than 1% reflects very low observed exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to access the web application as an authenticated user, then supply a maliciously crafted URL to the scraper component. Because the exploit is limited to valid user accounts, the risk is mitigated compared to unauthenticated SSRF, but the potential impact on internal services remains significant.

Generated by OpenCVE AI on June 18, 2026 at 01:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a version of Benjamin Jonard Koillection that contains the SSRF fix if available
  • Disable or remove the custom scraper subsystem if it is not required for business operations
  • Configure network controls or firewall rules to block outbound connections from the scraper process to internal IP ranges

Generated by OpenCVE AI on June 18, 2026 at 01:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Authenticated SSRF in Custom Scraper Subsystem

Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Title Authenticated SSRF in Custom Scraper Subsystem

Tue, 16 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-918
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Benjaminjonard
Benjaminjonard koillection
Vendors & Products Benjaminjonard
Benjaminjonard koillection

Mon, 15 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Description An authenticated Server-Side Request Forgery (SSRF) in the custom scraper subsystem component of Benjamin Jonard Koillection v1.8.0 allows attackers to scan internal resources via supplying a crafted URL.
References

Subscriptions

Benjaminjonard Koillection
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-16T14:58:42.501Z

Reserved: 2026-06-07T00:00:00.000Z

Link: CVE-2026-50888

cve-icon Vulnrichment

Updated: 2026-06-16T14:58:37.400Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T20:16:31.793

Modified: 2026-06-16T17:16:41.970

Link: CVE-2026-50888

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T02:00:05Z

Weaknesses
  • CWE-918

    Server-Side Request Forgery (SSRF)