CVE-2026-50552

Koel is a free, open-source music streaming solution. Prior to version 9.7.1, Koel contains a Server-Side Request Forgery SSRF vulnerability in the radio station creation endpoint POST /api/radio/stations. The url field validation rules are declared without the bail keyword, so the...

CVE-2026-47260

Koel is a free, open-source music streaming solution. Prior to version 9.3.5, Koel validates the podcast feed URL via the SafeUrl rule DNS resolution + public IP check, but the individual episode values extracted from the RSS XML are stored directly into the database without any SSRF validation...

CVE-2026-50552 Koel: Server-Side Request Forgery (SSRF) in radio station creation due to missing validation bail

Koel is a free, open-source music streaming solution. Prior to version 9.7.1, Koel contains a Server-Side Request Forgery SSRF vulnerability in the radio station creation endpoint POST /api/radio/stations. The url field validation rules are declared without the bail keyword, so the...

EUVD-2026-36546

Koel is a free, open-source music streaming solution. Prior to version 9.7.1, Koel contains a Server-Side Request Forgery SSRF vulnerability in the radio station creation endpoint POST /api/radio/stations. The url field validation rules are declared without the bail keyword, so the...

CVE-2026-50552

Koel (open-source music streaming) is affected prior to version 9.7.1 by a Server-Side Request Forgery (SSRF) in the radio station creation endpoint (POST /api/radio/stations). The url validation rules are declared without bail, allowing the HasAudioContentType rule to issue HTTP requests even af...

EUVD-2026-36545

Koel is a free, open-source music streaming solution. Prior to version 9.3.5, Koel validates the podcast feed URL via the SafeUrl rule DNS resolution + public IP check, but the individual episode values extracted from the RSS XML are stored directly into the database without any SSRF validation...

CVE-2026-47260 Koel Vulnerable to SSRF via Podcast Episode Enclosure URLs

Koel is a free, open-source music streaming solution. Prior to version 9.3.5, Koel validates the podcast feed URL via the SafeUrl rule DNS resolution + public IP check, but the individual episode values extracted from the RSS XML are stored directly into the database without any SSRF validation...

CVE-2026-47260

Koel (pre-9.3.5) is vulnerable to SSRF via unvalidated podcast enclosure URLs extracted from RSS feeds. The SafeUrl rule validates only the feed URL, not enclosure URLs, which are stored directly in the database and later fetched with Http::sink()->get() when playing an episode, enabling full-...

Server-side Request Forgery (SSRF)

Overview phanan/koel is a personal audio streaming service. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the processing of unvalidated enclosure URLs in podcast episode feeds. An attacker can access sensitive internal resources and exfiltrate data by...

CVE-2026-47260

creationtimestamp| type| source ---|---|--- 2026-05-18 21:55:14+00:00| published-proof-of-concept| https://github.com/koel/koel/security/advisories/GHSA-7j2f-6h2r-6cqc...

CVE-2021-33563

Koel before 5.1.4 lacks login throttling, lacks a password strength policy, and shows whether a failed login attempt had a valid username. This might make brute-force attacks easier...

PT-2023-12240 · Koel · Koel

Name of the Vulnerable Software and Affected Versions: Koel versions 5.1.4 and earlier Description: An issue in Koel allows remote attackers to gain access to sensitive information via the login form parameters. Recommendations: For versions 5.1.4 and earlier, at the moment, there is no informati...

GHSA-R37H-J483-CJJM Improper rate limiting in Koel

Koel before 5.1.4 lacks login throttling, lacks a password strength policy, and shows whether a failed login attempt had a valid username. This might make brute-force attacks easier...

Improper rate limiting in Koel

Koel before 5.1.4 lacks login throttling, lacks a password strength policy, and shows whether a failed login attempt had a valid username. This might make brute-force attacks easier...

CVE-2021-33563

Koel before 5.1.4 lacks login throttling, lacks a password strength policy, and shows whether a failed login attempt had a valid username. This might make brute-force attacks easier...

CVE-2021-33563

Koel before 5.1.4 lacks login throttling, lacks a password strength policy, and shows whether a failed login attempt had a valid username. This might make brute-force attacks easier...

Default credentials

Koel before 5.1.4 lacks login throttling, lacks a password strength policy, and shows whether a failed login attempt had a valid username. This might make brute-force attacks easier...

CVE-2021-33563

Koel before 5.1.4 lacks login throttling, lacks a password strength policy, and shows whether a failed login attempt had a valid username. This might make brute-force attacks easier...

CVE-2021-33563

Koel prior to 5.1.4 is affected by an authentication weakness: no login throttling, no minimum password strength policy, and failure messages indicate whether a username is valid. Red Hat/CVE and OSV entries echo the same Description. Impact is described as facilitating brute-force attempts; no e...

Koel 安全漏洞

Koel is a simple web-based personal audio streaming service written in Vue on the client side and Laravel on the server side. A security vulnerability exists in Koel versions prior to 5.1.4 that stems from no login restrictions, no password strength policy, and displaying whether a failed login...