Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SSRF with PR:L authentication; confidentiality impact only (internal resource access), no direct integrity or availability impact on the vulnerable system.
Primary rating from Vendor (VulDB).
CVSS VectorVendor: VulDB
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A vulnerability was detected in kLOsk adloop up to 0.9.0. This vulnerability affects the function _validate_urls of the file src/adloop/ads/write.py. Performing a manipulation of the argument final_url results in server-side request forgery. The attack may be initiated remotely. The exploit is now public and may be used. Upgrading to version 0.10.0 is able to resolve this issue. The patch is named 217399723e3a2fb39389e5355d49ed80aaf9ea7c. Upgrading the affected component is advised.
AnalysisAI
Server-side request forgery in kLOsk adloop through version 0.9.0 allows authenticated remote attackers to manipulate the final_url argument passed to the _validate_urls function in src/adloop/ads/write.py, causing the server to issue arbitrary outbound HTTP requests. Internal network services, cloud metadata endpoints, and other non-public resources reachable from the server may be exposed. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid authenticated session with at least low-privilege access to the adloop application (PR:L per CVSS 4.0 vector). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 5.3 (Medium) is supported by the vector: network-reachable (AV:N), low complexity (AC:L), low-privilege authentication required (PR:L), no user interaction (UI:N), and low impact across confidentiality, integrity, and availability (VC:L/VI:L/VA:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated adloop user submits a crafted ad entry supplying a malicious value for the `final_url` parameter - for example, `http://169.254.169.254/latest/meta-data/` - which passes through the `_validate_urls` function and causes the server to fetch the cloud instance metadata endpoint, returning sensitive credentials or configuration data to the attacker. A public proof-of-concept demonstrating this technique is available via GitHub issue #41 (https://github.com/kLOsk/adloop/issues/41), lowering the skill bar for exploitation. |
| Remediation | Upgrade adloop to version 0.10.0 immediately; this is the vendor-confirmed fix delivered via commit 217399723e3a2fb39389e5355d49ed80aaf9ea7c (https://github.com/kLOsk/adloop/commit/217399723e3a2fb39389e5355d49ed80aaf9ea7c) and tagged as release v0.10.0 (https://github.com/kLOsk/adloop/releases/tag/v0.10.0). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43267
GHSA-cvvx-wcx7-g65m