Cyber Resilience

CVE-2026-34428

HighPublic PoC

Published: 20 April 2026

Published
20 April 2026
Modified
20 April 2026
KEV Added
Patch
CVSS Score v4 8.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0026 16.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-34428 is a high-severity SSRF (CWE-918) vulnerability. Its CVSS base score is 8.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 16.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-34428 is a server-side request forgery (SSRF) vulnerability affecting Vvveb versions prior to 1.0.8.1. The issue resides in the oEmbedProxy action of the editor/editor module, where the url parameter is passed directly to a getUrl() function using curl without validation of the scheme or destination. This allows attackers to craft malicious requests that bypass intended restrictions, as documented under CWE-918. The vulnerability carries a CVSS v3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N), highlighting its high confidentiality impact due to the changed scope.

Authenticated backend users with low privileges can exploit this vulnerability over the network with low complexity and no user interaction required. By supplying file:// URLs, they can read arbitrary files accessible to the web server process. Alternatively, http:// URLs targeting internal network addresses enable probing of internal services, with full response bodies returned directly to the attacker.

Mitigation is available via the official patch in Vvveb version 1.0.8.1, as detailed in the GitHub release and the specific commit 2d356844f37819bf771e7cd5e12a8686975e0b2b that addresses the lack of scheme and destination validation. Additional guidance appears in the VulnCheck advisory on the SSRF via oEmbedProxy. Security practitioners should prioritize upgrading affected instances and reviewing access controls for backend users.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Vvveb prior to 1.0.8.1 contains a server-side request forgery vulnerability in the oEmbedProxy action of the editor/editor module where the url parameter is passed directly to getUrl() via curl without scheme or destination validation. Authenticated backend users can supply file://…

more

URLs to read arbitrary files readable by the web server process or http:// URLs targeting internal network addresses to probe internal services, with response bodies returned directly to the caller.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1046 Network Service Discovery Discovery
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.
Why these techniques?

SSRF via file:// enables direct arbitrary file reads from the local system (T1005); http:// to internal addresses enables probing and discovery of internal network services (T1046).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-14610Shared CWE-918
CVE-2025-0474Shared CWE-918
CVE-2025-55161Shared CWE-918
CVE-2024-37359Shared CWE-918
CVE-2024-12450Shared CWE-918
CVE-2025-55853Shared CWE-918
CVE-2026-41060Shared CWE-918
CVE-2024-57767Shared CWE-918
CVE-2025-71258Shared CWE-918
CVE-2026-24736Shared CWE-918

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of the url parameter to reject disallowed schemes like file:// and internal http:// destinations before passing to curl, preventing SSRF exploitation.

prevent

Mandates timely remediation of the specific SSRF flaw via patching to Vvveb 1.0.8.1, which adds the necessary scheme and destination validation.

prevent

Enforces information flow control policies to restrict server-side requests from reaching unauthorized internal networks or local files.

References