Skip to main content

AutoBangumi CVE-2026-59101

| EUVDEUVD-2026-41432 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-07-02 VulnCheck GHSA-p8rr-9cvg-cx5j
6.9
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.3 MEDIUM

Unauthenticated network endpoint with no complexity; SSRF leaks only internal reachability via error messages, yielding C:L with no integrity or availability impact and no scope change.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jul 02, 2026 - 20:39 vuln.today
CVSS changed
Jul 02, 2026 - 20:22 NVD
5.8 (MEDIUM) 6.9 (MEDIUM)

DescriptionCVE.org

AutoBangumi before 3.2.8 contains a server-side request forgery (SSRF) vulnerability that allows unauthenticated remote attackers to probe internal network services by supplying arbitrary host values to an unprotected setup endpoint. Attackers can send requests to the POST /api/v1/setup/test-downloader endpoint during the initial setup window, causing the server to issue HTTP GET requests to internal or reserved addresses and leak information through echoed connection-error messages.

AnalysisAI

Server-side request forgery in AutoBangumi before 3.2.8 allows unauthenticated remote attackers to probe internal network services by submitting arbitrary host values to the unprotected POST /api/v1/setup/test-downloader endpoint during the application's initial setup window. The server issues outbound HTTP GET requests to attacker-controlled targets - including internal or reserved IP ranges - and leaks reachability data through echoed connection-error responses, enabling internal network mapping. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify AutoBangumi instance still in setup phase
Delivery
Send unauthenticated POST to /api/v1/setup/test-downloader with internal host value
Exploit
Server issues outbound HTTP GET to attacker-supplied internal address
Execution
Parse connection-error message echoed in response
Persist
Iterate across internal IP ranges to map reachable services
Impact
Correlate results to identify high-value internal targets

Vulnerability AssessmentAI

Exploitation The POST /api/v1/setup/test-downloader endpoint must be network-reachable by the attacker, AND the AutoBangumi instance must still be in its initial setup window - that is, the first-run configuration has not yet been completed. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N, score 6.9) accurately reflects a low-complexity, unauthenticated, network-reachable SSRF with limited confidentiality impact and no integrity or availability consequences. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker discovers an AutoBangumi instance accessible on the internet that has not yet completed its initial setup, then sends a POST request to /api/v1/setup/test-downloader with the host parameter set to an internal address such as 192.168.1.1:8080 or 169.254.169.254 (cloud metadata endpoint). The server dutifully issues an outbound HTTP GET to that address and returns a connection-error response to the attacker, revealing whether the internal host is reachable - allowing iterative internal network enumeration with no credentials required. …
Remediation The primary fix is to upgrade AutoBangumi to version 3.2.8, which addresses the vulnerability via commit 487bdfec545e805ae416e6ddf28651bd274d6a73 (https://github.com/EstrellaXD/Auto_Bangumi/commit/487bdfec545e805ae416e6ddf28651bd274d6a73). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-59101 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy