Description
A vulnerability was detected in kalcaddle kodbox up to 1.64. This affects an unknown function of the component shareMake/shareCheck. Performing a manipulation of the argument siteFrom/siteTo results in server-side request forgery. The attack is possible to be carried out remotely. The complexity of an attack is rather high. The exploitability is reported as difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-04-06
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery
Action: Patch Now
AI Analysis

Impact

A server‑side request forgery flaw exists in the shareMake/shareCheck component of kalcaddle kodbox up to version 1.64. By manipulating the siteFrom and siteTo arguments, an attacker can cause the server to initiate requests to arbitrary URLs, potentially accessing internal resources, exfiltrating data, or performing further malicious actions. The vulnerability allows remote exploitation, though the attack complexity is described as high and exploitation as difficult. However, public exploits are available, indicating that the flaw is being actively used.

Affected Systems

The affected vendor is kalcaddle and the product is kodbox. Versions affected include all releases up to and including 1.64. No specific sub‑version or patch details are provided in the advisories.

Risk and Exploitability

The CVSS base score of 6.3 places the vulnerability in the medium severity range. EPSS information is not available, and the flaw is not listed in the CISA KEV catalog, suggesting no widespread, known exploitation yet. Given the public availability of exploits and remote nature of the attack, the risk remains significant. The attack vector is inferred to be purely remote, relying on the server’s ability to reach arbitrary URLs passed by user input.

Generated by OpenCVE AI on April 6, 2026 at 06:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check for and apply any kalcaddle kodbox updates that address the SSRF issue, such as a release newer than 1.64.
  • If no official patch is available, restrict outbound traffic from the kodbox instance to only trusted networks by configuring firewall or proxy rules.
  • Validate and whitelist all URLs supplied to the siteFrom and siteTo parameters before they are processed by the application to prevent unauthorized requests.
  • Contact kalcaddle for further guidance or to confirm when a vendor patch will be released.

Generated by OpenCVE AI on April 6, 2026 at 06:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Kalcaddle
Kalcaddle kodbox
Vendors & Products Kalcaddle
Kalcaddle kodbox

Mon, 06 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 06 Apr 2026 04:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in kalcaddle kodbox up to 1.64. This affects an unknown function of the component shareMake/shareCheck. Performing a manipulation of the argument siteFrom/siteTo results in server-side request forgery. The attack is possible to be carried out remotely. The complexity of an attack is rather high. The exploitability is reported as difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title kalcaddle kodbox shareMake/shareCheck server-side request forgery
Weaknesses CWE-918
References
Metrics cvssV2_0

{'score': 5.1, 'vector': 'AV:N/AC:H/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 5.6, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 5.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Kalcaddle Kodbox
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-06T15:02:04.870Z

Reserved: 2026-04-05T15:44:09.915Z

Link: CVE-2026-5618

cve-icon Vulnrichment

Updated: 2026-04-06T15:01:59.664Z

cve-icon NVD

Status : Deferred

Published: 2026-04-06T04:16:14.050

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-5618

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T21:47:29Z

Weaknesses