Server-Side Request Forgery in Vvveb Editor Module
CVE-2026-34428

8.3HIGH

Key Information:

Vendor: Givanz
Status: Vvveb
Vendor: CVE Published:; 20 April 2026

What is CVE-2026-34428?

Vvveb versions earlier than 1.0.8.1 are susceptible to a server-side request forgery vulnerability located in the oEmbedProxy action of the editor module. The vulnerability arises from improper handling of the url parameter, allowing authenticated backend users to pass file:// URLs directly to the getUrl() function via cURL without conducting any form of scheme or destination validation. This flaw can be exploited to read arbitrary files accessible by the web server process or to probe internal network services using http:// URLs, with the responses directly returned to the requesting user.

Affected Version(s)

Vvveb 0 < 1.0.8.1

Vvveb 2d356844f37819bf771e7cd5e12a8686975e0b2b

References

https://github.com/givanz/Vvveb/releases/tag/1.0.8.1

release-notes

https://github.com/givanz/Vvveb/commit/2d356844f37819bf77...

patch

https://www.vulncheck.com/advisories/vvveb-ssrf-via-oembe...

third-party-advisory

CVSS V4

Score:

8.3

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 20, 2026
Vulnerability Reserved
Mar 27, 2026

Credit

Hamed Kohi of Delta Obscura

VulnCheck

CVE-2026-34428 Data

JSON

Givanz

What is CVE-2026-34428?

Affected Version(s)

References

CVSS V4

Timeline

Credit