CVE-2026-34428
Published: 20 April 2026
Summary
CVE-2026-34428 is a high-severity SSRF (CWE-918) vulnerability. Its CVSS base score is 8.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 16.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-34428 is a server-side request forgery (SSRF) vulnerability affecting Vvveb versions prior to 1.0.8.1. The issue resides in the oEmbedProxy action of the editor/editor module, where the url parameter is passed directly to a getUrl() function using curl without validation of the scheme or destination. This allows attackers to craft malicious requests that bypass intended restrictions, as documented under CWE-918. The vulnerability carries a CVSS v3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N), highlighting its high confidentiality impact due to the changed scope.
Authenticated backend users with low privileges can exploit this vulnerability over the network with low complexity and no user interaction required. By supplying file:// URLs, they can read arbitrary files accessible to the web server process. Alternatively, http:// URLs targeting internal network addresses enable probing of internal services, with full response bodies returned directly to the attacker.
Mitigation is available via the official patch in Vvveb version 1.0.8.1, as detailed in the GitHub release and the specific commit 2d356844f37819bf771e7cd5e12a8686975e0b2b that addresses the lack of scheme and destination validation. Additional guidance appears in the VulnCheck advisory on the SSRF via oEmbedProxy. Security practitioners should prioritize upgrading affected instances and reviewing access controls for backend users.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-23852
Vulnerability details
Vvveb prior to 1.0.8.1 contains a server-side request forgery vulnerability in the oEmbedProxy action of the editor/editor module where the url parameter is passed directly to getUrl() via curl without scheme or destination validation. Authenticated backend users can supply file://…
more
URLs to read arbitrary files readable by the web server process or http:// URLs targeting internal network addresses to probe internal services, with response bodies returned directly to the caller.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF via file:// enables direct arbitrary file reads from the local system (T1005); http:// to internal addresses enables probing and discovery of internal network services (T1046).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of the url parameter to reject disallowed schemes like file:// and internal http:// destinations before passing to curl, preventing SSRF exploitation.
Mandates timely remediation of the specific SSRF flaw via patching to Vvveb 1.0.8.1, which adds the necessary scheme and destination validation.
Enforces information flow control policies to restrict server-side requests from reaching unauthorized internal networks or local files.