Skip to main content

Kodbox EUVDEUVD-2026-19164

| CVE-2026-5618 LOW
Server-Side Request Forgery (SSRF) (CWE-918)
2026-04-06 VulDB
2.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.9 LOW
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Severity Changed
Apr 29, 2026 - 01:11 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:11 NVD
6.3 (MEDIUM) 2.9 (LOW)
PoC Detected
Apr 07, 2026 - 13:20 vuln.today
Public exploit code
EUVD ID Assigned
Apr 06, 2026 - 03:45 euvd
EUVD-2026-19164
Analysis Generated
Apr 06, 2026 - 03:45 vuln.today
CVE Published
Apr 06, 2026 - 03:30 nvd
MEDIUM 6.3

DescriptionCVE.org

A vulnerability was detected in kalcaddle kodbox up to 1.64. This affects an unknown function of the component shareMake/shareCheck. Performing a manipulation of the argument siteFrom/siteTo results in server-side request forgery. The attack is possible to be carried out remotely. The complexity of an attack is rather high. The exploitability is reported as difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Server-side request forgery (SSRF) in Kalcaddle Kodbox up to version 1.64 allows unauthenticated remote attackers to perform arbitrary network requests via manipulation of the siteFrom/siteTo parameters in the shareMake/shareCheck component, with publicly available exploit code and high attack complexity. The vendor has not responded to disclosure efforts, leaving affected installations vulnerable to information disclosure and potential lateral network attacks.

Technical ContextAI

This vulnerability exploits improper input validation in Kodbox's file sharing functionality, specifically the shareMake and shareCheck components. The root cause is classified as CWE-918 (Server-Side Request Forgery), indicating that user-supplied siteFrom and siteTo parameters are not adequately sanitized before being used in server-side HTTP requests. An attacker can manipulate these parameters to redirect the server into making requests to unintended internal or external targets, bypassing normal network segmentation and access controls. Kodbox is a cloud storage and file management system, and the vulnerable endpoint is part of its sharing mechanism. The CPE designation cpe:2.3:a:kalcaddle:kodbox:*:*:*:*:*:*:*:* indicates all versions up to and including 1.64 are affected.

RemediationAI

Upgrade Kalcaddle Kodbox to a version greater than 1.64 immediately; however, no specific patched version number has been independently confirmed from vendor advisory at time of analysis. Since the vendor (Kalcaddle) has not responded to disclosure efforts and no official patch acknowledgment is documented, users should verify the latest available release from the official Kalcaddle Kodbox repository and test compatibility before deployment. As a temporary mitigation, restrict network access to the shareMake and shareCheck endpoints via web application firewall or reverse proxy rules, and implement strict input validation/filtering on siteFrom and siteTo parameters to block requests to private IP ranges (127.0.0.1, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and local metadata services. Monitor outbound connections from Kodbox instances for anomalous SSRF activity. Additional vulnerability details and any community-provided patches may be available at https://vuldb.com/vuln/355408/cti.

More in Kodbox

View all

Share

EUVD-2026-19164 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy