CVE-2026-34428

HIGH 7.7

Vvveb < 1.0.8.1 SSRF via oEmbedProxy

CVSS Score

7.7

EPSS Score

0.0%

EPSS Percentile

0th

Vvveb prior to 1.0.8.1 contains a server-side request forgery vulnerability in the oEmbedProxy action of the editor/editor module where the url parameter is passed directly to getUrl() via curl without scheme or destination validation. Authenticated backend users can supply file:// URLs to read arbitrary files readable by the web server process or http:// URLs targeting internal network addresses to probe internal services, with response bodies returned directly to the caller.

CWE	CWE-918
Vendor	givanz
Product	vvveb
Published	Apr 20, 2026
Last Updated	Apr 20, 2026

Stay Ahead of the Next One

Get instant alerts for givanz vvveb

Be the first to know when new high vulnerabilities affecting givanz vvveb are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

Affected Versions

givanz / Vvveb

0 < 1.0.8.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/givanz/Vvveb/releases/tag/1.0.8.1 github.com: https://github.com/givanz/Vvveb/commit/2d356844f37819bf771e7cd5e12a8686975e0b2b vulncheck.com: https://www.vulncheck.com/advisories/vvveb-ssrf-via-oembedproxy

Credits

Hamed Kohi of Delta Obscura VulnCheck