What is the CVSS score of CVE-2026-47684?

CVE-2026-47684 has a CVSS 3.1 base score of 7.7 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N.

Which versions of Sync-in Server are affected by CVE-2026-47684?

Sync-in Server versions 2.2.1 and earlier contain a Server-Side Request Forgery vulnerability (CVE-2026-47684) that allows authenticated low-privilege users to bypass IP-blocking protections and…. A patch is available.

How to fix or mitigate CVE-2026-47684?

Within 24 hours: Inventory all Sync-in Server deployments and identify any instances running versions 2.2.1 or earlier. Within 7 days: Monitor vendor (Sync-in) advisories for patch availability; implement network segmentation to restrict internal resource access from affected Sync-in Server instances. Within 30 days: Apply vendor patch for Sync-in Server when available, or deploy permanent mitigations if patch timeline is uncertain (WAF rules blocking IPv6-mapped addresses, restrict URL download feature).

Sync-in Server CVE-2026-47684

HIGH

Server-Side Request Forgery (SSRF) (CWE-918)

2026-06-05 https://github.com/Sync-in/server

GHSA-q4x5-8cj6-52wg

Node.js SSRF

7.7

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Source Code Evidence Fetched

Jun 05, 2026 - 17:16 vuln.today

Analysis Generated

Jun 05, 2026 - 17:16 vuln.today

CVE Published

Jun 05, 2026 - 16:34 nvd

HIGH 7.7

DescriptionNVD

Summary: The private IP blocklist regex used in the URL download feature does not match IPv4-mapped IPv6 addresses (e.g. ::ffff:127.0.0.1), allowing SSRF protection to be bypassed on dual-stack systems.

Affected components

backend/src/applications/files/services/files-manager.service.ts - downloadFromUrl() checks regExpPrivateIP against request.socket.remoteAddress. backend/src/applications/files/utils/url-file.ts - regExpPrivateIP does not include ::ffff:<ipv4> variants.

Details: The regExpPrivateIP regex in backend/src/applications/files/utils/url-file.ts correctly blocks standard IPv4 private ranges but does not include ::ffff: prefixed variants. On dual-stack systems, Node.js can report a socket's remoteAddress in IPv4-mapped IPv6 form, meaning the check in FilesManager.downloadFromUrl() can be bypassed entirely.

PoC: poc.pdf

Proof: <img width="1080" height="842" alt="1000226655" src="https://github.com/user-attachments/assets/797cea83-0a08-4a16-a91b-31c51068d473" />

Impact: An attacker can supply a crafted URL pointing to an internal address that gets reported as ::ffff:127.0.0.1 or ::ffff:10.x.x.x, causing the server to fetch internal resources that should be blocked. Any user with access to the file download feature is a potential attacker.

AnalysisAI

Server-Side Request Forgery in Sync-in Server versions 2.2.1 and earlier allows authenticated low-privileged users to bypass the private-IP blocklist by supplying URLs that resolve to IPv4-mapped IPv6 addresses (::ffff:127.0.0.1, ::ffff:10.x.x.x). The URL download feature's regExpPrivateIP regex fails to recognize the dual-stack representation, letting the server fetch internal resources it should refuse. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticate to Sync-in as low-privileged user

Delivery

Craft URL with IPv4-mapped IPv6 host (::ffff:127.0.0.1)

Exploit

Submit to URL download feature

Execution

Bypass regExpPrivateIP check

Persist

Server fetches internal resource

Impact

Exfiltrate response via downloaded file

Access

Authenticate to Sync-in as low-privileged user

Delivery

Craft URL with IPv4-mapped IPv6 host (::ffff:127.0.0.1)

Exploit

Submit to URL download feature

Execution

Bypass regExpPrivateIP check

Persist

Server fetches internal resource

Impact

Exfiltrate response via downloaded file

Vulnerability AssessmentAI

Exploitation	Requires a valid low-privileged Sync-in account with access to the URL download feature in files-manager.service.ts (PR:L per CVSS), and the target instance must be running on a dual-stack host where Node.js reports socket remoteAddress in the ::ffff:<ipv4> form - the default on most Linux deployments unless IPv6 has been disabled or the listener is bound exclusively to AF_INET. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N (7.7 High) accurately reflects a network-reachable, low-complexity SSRF requiring any authenticated account, with scope change because the server pivots into the internal trust boundary and discloses high-confidentiality data; integrity and availability are not directly affected. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker registers or compromises any standard Sync-in account, then uses the file download feature to submit a URL such as http://[::ffff:169.254.169.254]/latest/meta-data/iam/security-credentials/ or http://[::ffff:127.0.0.1]:9200/_search; the server's SSRF filter inspects the IPv4-mapped IPv6 string, finds no match in regExpPrivateIP, and proceeds to fetch the internal resource and return its contents as a downloaded file. With the reporter's PoC (poc.pdf) published alongside the advisory, weaponization is straightforward for any operator familiar with Node.js dual-stack semantics.
Remediation	Vendor-released patch: upgrade @sync-in/server to 2.3.0 or later (https://github.com/Sync-in/server/releases/tag/v2.3.0), which extends regExpPrivateIP to cover IPv4-mapped IPv6 forms; this is the primary fix and should be applied before any workaround. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Sync-in Server deployments and identify any instances running versions 2.2.1 or earlier. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-47668 CRITICAL Act Now POC

10.0 Jun 05

Unauthenticated remote code execution in DbGate (npm package dbgate-serve, versions <= 7.1.8) lets remote attackers exec

CVE-2025-71329 HIGH This Week POC

8.7 Jun 10

Denial of service in the image-size Node.js library through version 2.0.2 allows remote unauthenticated attackers to per

CVE-2025-71330 HIGH This Week POC

8.7 Jun 10

Denial of service in the image-size Node.js library (versions up to and including 2.0.2) allows remote unauthenticated a

CVE-2026-48017 HIGH This Week

8.8 Jun 05

Remote code execution in DbGate (npm package dbgate-api) versions 7.1.8 and earlier allows any authenticated user with b

CVE-2026-44486 HIGH This Week

7.5 Jun 04

Proxy credential disclosure in Axios Node.js HTTP adapter (versions <1.16.0 and <=0.31.1) allows an attacker-controlled

CVE-2026-47684 vulnerability details – vuln.today

Back

Sync-in Server CVE-2026-47684

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code