Skip to main content

Buildingai

1 CVEs product

Monthly

CVE-2026-7065 MEDIUM POC This Month

Server-side request forgery (SSRF) in BuildingAI up to version 26.0.1 allows remote unauthenticated attackers to abuse the Remote Upload API's uploadRemoteFile function by manipulating the url parameter, enabling unauthorized access to internal resources, data exfiltration from cloud metadata services, and potential pivoting to internal network systems. A publicly available exploit exists (GitHub issue #110), but the vendor has not responded to disclosure. CVSS 7.3 with EPSS data unavailable; exploitation requires no authentication and low attack complexity (AV:N/AC:L/PR:N/UI:N), making this a high-priority remediation target despite unknown CISA KEV status.

SSRF Buildingai
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Server-side request forgery (SSRF) in BuildingAI up to version 26.0.1 allows remote unauthenticated attackers to abuse the Remote Upload API's uploadRemoteFile function by manipulating the url parameter, enabling unauthorized access to internal resources, data exfiltration from cloud metadata services, and potential pivoting to internal network systems. A publicly available exploit exists (GitHub issue #110), but the vendor has not responded to disclosure. CVSS 7.3 with EPSS data unavailable; exploitation requires no authentication and low attack complexity (AV:N/AC:L/PR:N/UI:N), making this a high-priority remediation target despite unknown CISA KEV status.

SSRF Buildingai
NVD VulDB GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy