{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-50552", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-06-04T20:37:18.654Z", "datePublished": "2026-06-12T18:51:46.028Z", "dateUpdated": "2026-06-15T15:25:23.537Z"}, "containers": {"cna": {"title": "Koel: Server-Side Request Forgery (SSRF) in radio station creation due to missing validation bail", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/koel/koel/security/advisories/GHSA-jr4p-4xjh-fwvw", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/koel/koel/security/advisories/GHSA-jr4p-4xjh-fwvw"}, {"name": "https://github.com/koel/koel/commit/5f6ce2cefd08f437a269236b677ad971517ccbb6", "tags": ["x_refsource_MISC"], "url": "https://github.com/koel/koel/commit/5f6ce2cefd08f437a269236b677ad971517ccbb6"}], "affected": [{"vendor": "koel", "product": "koel", "versions": [{"version": "< 9.7.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-12T18:51:46.028Z"}, "descriptions": [{"lang": "en", "value": "Koel is a free, open-source music streaming solution. Prior to version 9.7.1, Koel contains a Server-Side Request Forgery (SSRF) vulnerability in the radio station creation endpoint (POST /api/radio/stations). The url field validation rules are declared without the bail keyword, so the HasAudioContentType rule \u2014 which issues HTTP requests to the supplied URL \u2014 still executes even after the SafeUrl rule has rejected the URL as pointing to a private/reserved address. Any authenticated, non-admin user can therefore coerce the server into making HEAD/GET requests to arbitrary internal hosts. This issue has been patched in version 9.7.1."}], "source": {"advisory": "GHSA-jr4p-4xjh-fwvw", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/koel/koel/security/advisories/GHSA-jr4p-4xjh-fwvw", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-15T15:25:19.610002Z", "id": "CVE-2026-50552", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-15T15:25:23.537Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-50552", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-15T15:25:19.610002Z"}}}], "references": [{"url": "https://github.com/koel/koel/security/advisories/GHSA-jr4p-4xjh-fwvw", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-15T15:24:54.196Z"}}], "cna": {"title": "Koel: Server-Side Request Forgery (SSRF) in radio station creation due to missing validation bail", "source": {"advisory": "GHSA-jr4p-4xjh-fwvw", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "koel", "product": "koel", "versions": [{"status": "affected", "version": "< 9.7.1"}]}], "references": [{"url": "https://github.com/koel/koel/security/advisories/GHSA-jr4p-4xjh-fwvw", "name": "https://github.com/koel/koel/security/advisories/GHSA-jr4p-4xjh-fwvw", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/koel/koel/commit/5f6ce2cefd08f437a269236b677ad971517ccbb6", "name": "https://github.com/koel/koel/commit/5f6ce2cefd08f437a269236b677ad971517ccbb6", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Koel is a free, open-source music streaming solution. Prior to version 9.7.1, Koel contains a Server-Side Request Forgery (SSRF) vulnerability in the radio station creation endpoint (POST /api/radio/stations). The url field validation rules are declared without the bail keyword, so the HasAudioContentType rule \u2014 which issues HTTP requests to the supplied URL \u2014 still executes even after the SafeUrl rule has rejected the URL as pointing to a private/reserved address. Any authenticated, non-admin user can therefore coerce the server into making HEAD/GET requests to arbitrary internal hosts. This issue has been patched in version 9.7.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-12T18:51:46.028Z"}}}, "cveMetadata": {"cveId": "CVE-2026-50552", "state": "PUBLISHED", "dateUpdated": "2026-06-15T15:25:23.537Z", "dateReserved": "2026-06-04T20:37:18.654Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-06-12T18:51:46.028Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Koel is a free, open-source music streaming solution. Prior to version 9.7.1, Koel contains a Server-Side Request Forgery (SSRF) vulnerability in the radio station creation endpoint (POST /api/radio/stations). The url field validation rules are declared without the bail keyword, so the HasAudioContentType rule \u2014 which issues HTTP requests to the supplied URL \u2014 still executes even after the SafeUrl rule has rejected the URL as pointing to a private/reserved address. Any authenticated, non-admin user can therefore coerce the server into making HEAD/GET requests to arbitrary internal hosts. This issue has been patched in version 9.7.1."}], "id": "CVE-2026-50552", "lastModified": "2026-06-15T21:08:33.820", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-06-12T20:16:47.080", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/koel/koel/commit/5f6ce2cefd08f437a269236b677ad971517ccbb6"}, {"source": "security-advisories@github.com", "url": "https://github.com/koel/koel/security/advisories/GHSA-jr4p-4xjh-fwvw"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/koel/koel/security/advisories/GHSA-jr4p-4xjh-fwvw"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,9.7.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "koel", "source": "cna", "vendor": "koel"}, "product": "koel", "vendor": "koel"}], "created": "2026-06-12T20:30:06.946652+00:00", "updated": "2026-06-12T21:00:19.750952+00:00", "vendors": ["koel", "koel$PRODUCT$koel"]}