Server-Side Request Forgery in Nextlevelbuilder GoClaw by Nextlevelbuilder
CVE-2026-15624
Key Information:
- Vendor
Nextlevelbuilder
- Status
- Vendor
- CVE Published:
- 14 July 2026
Badges
What is CVE-2026-15624?
A security flaw has been discovered in Nextlevelbuilder's GoClaw version 3.13.3-beta.3, specifically within the bytePlusDownloadVideo function found in the internal/tools/create_video_byteplus.go file. This vulnerability allows attackers to manipulate the output.video_url argument, leading to potential server-side request forgery (SSRF). If exploited, this flaw could enable remote attackers to conduct unauthorized requests on behalf of the vulnerable server, raising serious security concerns. The exploit has already been made public, increasing the urgency for affected users to apply necessary mitigations.
Affected Version(s)
GoClaw 3.13.3-beta.3
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V4
Timeline
- ๐ก
Public PoC available
- ๐พ
Exploit known to exist
Vulnerability published
Vulnerability Reserved
