Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-accessible SSRF requiring low-privilege auth (PR:L); scope changes because the server proxies requests to otherwise-unreachable internal systems (S:C); no direct availability impact.
Primary rating from Vendor (VulDB).
CVSS VectorVendor: VulDB
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A vulnerability has been found in nextlevelbuilder GoClaw 3.13.3-beta.3. Affected by this vulnerability is the function bytePlusDownloadVideo of the file internal/tools/create_video_byteplus.go of the component invoke Endpoint. The manipulation of the argument output.video_url leads to server-side request forgery. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used.
AnalysisAI
Server-side request forgery in GoClaw 3.13.3-beta.3 enables authenticated remote attackers to manipulate the output.video_url parameter within the bytePlusDownloadVideo function, coercing the server into issuing HTTP requests to attacker-controlled destinations including internal network resources. The flaw resides in internal/tools/create_video_byteplus.go at the invoke endpoint. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires a low-privilege authenticated session on the GoClaw application, as indicated by PR:L in the CVSS 4.0 vector - unauthenticated access alone is insufficient. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector AV:N/AC:L/AT:N/PR:L/UI:N with VC:L/VI:L/VA:L and threat metric E:P yields a score of 2.1, which is notably low for a network-exploitable SSRF with a public POC. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated GoClaw user submits a crafted request to the invoke endpoint, setting `output.video_url` to an internal address such as `http://169.254.169.254/latest/meta-data/iam/security-credentials/` targeting cloud instance metadata. The server fetches the URL without validation and may return the response body, potentially exposing IAM role credentials to the attacker. … |
| Remediation | No vendor-released patch has been identified at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
OS command injection in nextlevelbuilder GoClaw through version 3.11.3 allows remote attackers to execute arbitrary shel
Missing authentication in GoClaw's Webhook Verification Handler allows unauthenticated remote attackers to interact with
Improper authorization in the GoClaw and GoClaw Lite RPC gateway allows unauthenticated remote attackers to invoke privi
Path traversal in GoClaw 3.13.3-beta.3 allows authenticated remote attackers to read or write files outside the intended
Incorrect authorization in nextlevelbuilder GoClaw's WebSocket RPC Handler allows authenticated low-privilege remote att
Improper authorization in GoClaw (nextlevelbuilder/goclaw) up to version 3.11.3 allows a remote low-privileged attacker
Improper privilege management in nextlevelbuilder GoClaw up to version 3.11.3 allows authenticated low-privileged users
Missing authorization in nextlevelbuilder GoClaw up to version 3.11.3 allows low-privileged remote attackers to trigger
Information disclosure in nextlevelbuilder GoClaw up to version 3.13.3-beta.3 allows remote low-privileged attackers to
GoClaw 3.11.3 by nextlevelbuilder exposes an incomplete blacklist bypass in the ExecApprovalManager.CheckCommand functio
Server-side request forgery in nextlevelbuilder GoClaw through version 3.11.3 allows remote attackers with high-privileg
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43613
GHSA-jj94-w7r6-q859