Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A vulnerability was detected in kalcaddle kodbox up to 1.64. This affects an unknown function of the component shareMake/shareCheck. Performing a manipulation of the argument siteFrom/siteTo results in server-side request forgery. The attack is possible to be carried out remotely. The complexity of an attack is rather high. The exploitability is reported as difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Server-side request forgery (SSRF) in Kalcaddle Kodbox up to version 1.64 allows unauthenticated remote attackers to perform arbitrary network requests via manipulation of the siteFrom/siteTo parameters in the shareMake/shareCheck component, with publicly available exploit code and high attack complexity. The vendor has not responded to disclosure efforts, leaving affected installations vulnerable to information disclosure and potential lateral network attacks.
Technical ContextAI
This vulnerability exploits improper input validation in Kodbox's file sharing functionality, specifically the shareMake and shareCheck components. The root cause is classified as CWE-918 (Server-Side Request Forgery), indicating that user-supplied siteFrom and siteTo parameters are not adequately sanitized before being used in server-side HTTP requests. An attacker can manipulate these parameters to redirect the server into making requests to unintended internal or external targets, bypassing normal network segmentation and access controls. Kodbox is a cloud storage and file management system, and the vulnerable endpoint is part of its sharing mechanism. The CPE designation cpe:2.3:a:kalcaddle:kodbox:*:*:*:*:*:*:*:* indicates all versions up to and including 1.64 are affected.
RemediationAI
Upgrade Kalcaddle Kodbox to a version greater than 1.64 immediately; however, no specific patched version number has been independently confirmed from vendor advisory at time of analysis. Since the vendor (Kalcaddle) has not responded to disclosure efforts and no official patch acknowledgment is documented, users should verify the latest available release from the official Kalcaddle Kodbox repository and test compatibility before deployment. As a temporary mitigation, restrict network access to the shareMake and shareCheck endpoints via web application firewall or reverse proxy rules, and implement strict input validation/filtering on siteFrom and siteTo parameters to block requests to private IP ranges (127.0.0.1, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and local metadata services. Monitor outbound connections from Kodbox instances for anomalous SSRF activity. Additional vulnerability details and any community-provided patches may be available at https://vuldb.com/vuln/355408/cti.
kodbox 1.46.01 has a security flaw that enables user enumeration. Rated critical severity (CVSS 9.8), this vulnerability
A vulnerability was found in kodbox 1.26. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. P
A vulnerability was found in kalcaddle kodbox up to 1.48. Rated critical severity (CVSS 9.8), this vulnerability is remo
A vulnerability was found in kalcaddle kodbox up to 1.48. Rated critical severity (CVSS 9.8), this vulnerability is remo
An issue in kodbox v.1.52.04 and before allows a remote attacker to obtain sensitive information via the captcha feature
kodbox 1.2.x through 1.3.7 has a Sensitive Information Leakage issue. Rated high severity (CVSS 7.5), this vulnerability
kodbox <= 1.37 is vulnerable to Cross Site Scripting (XSS) via the debug information. Rated medium severity (CVSS 6.1),
kodbox 1.44 is vulnerable to Cross Site Scripting (XSS). Rated medium severity (CVSS 5.4), this vulnerability is remotel
Kodbox versions up to 1.61.10 contain a command injection vulnerability in the compression handler component that allows
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19164