Skip to main content

Adloop

1 CVEs product

Monthly

CVE-2026-15525 LOW POC PATCH Monitor

Server-side request forgery in kLOsk adloop through version 0.9.0 allows authenticated remote attackers to manipulate the `final_url` argument passed to the `_validate_urls` function in `src/adloop/ads/write.py`, causing the server to issue arbitrary outbound HTTP requests. Internal network services, cloud metadata endpoints, and other non-public resources reachable from the server may be exposed. A public proof-of-concept exploit exists via GitHub issue #41, and a vendor-released patch is available in version 0.10.0.

SSRF Adloop
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
EPSS 0% CVSS 2.1
LOW POC PATCH Monitor

Server-side request forgery in kLOsk adloop through version 0.9.0 allows authenticated remote attackers to manipulate the `final_url` argument passed to the `_validate_urls` function in `src/adloop/ads/write.py`, causing the server to issue arbitrary outbound HTTP requests. Internal network services, cloud metadata endpoints, and other non-public resources reachable from the server may be exposed. A public proof-of-concept exploit exists via GitHub issue #41, and a vendor-released patch is available in version 0.10.0.

SSRF Adloop
NVD VulDB GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy