CVE-2026-47260

Koel is a free, open-source music streaming solution. Prior to version 9.3.5, Koel validates the podcast feed URL via the SafeUrl rule DNS resolution + public IP check, but the individual episode values extracted from the RSS XML are stored directly into the database without any SSRF validation...

Server-side Request Forgery (SSRF)

Overview phanan/koel is a personal audio streaming service. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the processing of unvalidated enclosure URLs in podcast episode feeds. An attacker can access sensitive internal resources and exfiltrate data by...