EUVD-2026-23773

| CVE-2026-6604 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-04-20 VulDB
SSRF
6.9
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Apr 20, 2026 - 05:25 vuln.today
Severity Changed
Apr 20, 2026 - 05:22 NVD
HIGH MEDIUM
CVSS changed
Apr 20, 2026 - 05:22 NVD
7.3 (HIGH) 6.9 (MEDIUM)

DescriptionNVD

A vulnerability was identified in modelscope agentscope up to 1.0.18. Affected by this issue is the function _parse_url/prepare_image/openai_audio_to_text of the file src/agentscope/tool/_multi_modality/_openai_tools.py of the component Cloud Metadata Endpoint. Such manipulation of the argument image_url/audio_file_url leads to server-side request forgery. The attack may be performed from remote. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Server-side request forgery (SSRF) in ModelScope AgentScope up to version 1.0.18 allows remote unauthenticated attackers to manipulate image_url and audio_file_url parameters in the _parse_url, prepare_image, and openai_audio_to_text functions, enabling arbitrary HTTP requests from the affected server. The vulnerability has publicly available exploit code and affects the Cloud Metadata Endpoint component. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

EUVD-2026-23773 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy