Server-side Request Forgery (SSRF)

Overview phanan/koel is a personal audio streaming service. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the processing of unvalidated enclosure URLs in podcast episode feeds. An attacker can access sensitive internal resources and exfiltrate data by...

CVE-2026-47260

creationtimestamp| type| source ---|---|--- 2026-05-18 21:55:14+00:00| published-proof-of-concept| https://github.com/koel/koel/security/advisories/GHSA-7j2f-6h2r-6cqc...

CVE-2021-33563

Koel before 5.1.4 lacks login throttling, lacks a password strength policy, and shows whether a failed login attempt had a valid username. This might make brute-force attacks easier...

PT-2023-12240 · Koel · Koel

Name of the Vulnerable Software and Affected Versions: Koel versions 5.1.4 and earlier Description: An issue in Koel allows remote attackers to gain access to sensitive information via the login form parameters. Recommendations: For versions 5.1.4 and earlier, at the moment, there is no informati...

GHSA-R37H-J483-CJJM Improper rate limiting in Koel

Koel before 5.1.4 lacks login throttling, lacks a password strength policy, and shows whether a failed login attempt had a valid username. This might make brute-force attacks easier...

Improper rate limiting in Koel

Koel before 5.1.4 lacks login throttling, lacks a password strength policy, and shows whether a failed login attempt had a valid username. This might make brute-force attacks easier...

CVE-2021-33563

Koel before 5.1.4 lacks login throttling, lacks a password strength policy, and shows whether a failed login attempt had a valid username. This might make brute-force attacks easier...

CVE-2021-33563

Koel before 5.1.4 lacks login throttling, lacks a password strength policy, and shows whether a failed login attempt had a valid username. This might make brute-force attacks easier...

Default credentials

Koel before 5.1.4 lacks login throttling, lacks a password strength policy, and shows whether a failed login attempt had a valid username. This might make brute-force attacks easier...

CVE-2021-33563

Koel before 5.1.4 lacks login throttling, lacks a password strength policy, and shows whether a failed login attempt had a valid username. This might make brute-force attacks easier...

CVE-2021-33563

Koel prior to 5.1.4 is affected by an authentication weakness: no login throttling, no minimum password strength policy, and failure messages indicate whether a username is valid. Red Hat/CVE and OSV entries echo the same Description. Impact is described as facilitating brute-force attempts; no e...

Koel 安全漏洞

Koel is a simple web-based personal audio streaming service written in Vue on the client side and Laravel on the server side. A security vulnerability exists in Koel versions prior to 5.1.4 that stems from no login restrictions, no password strength policy, and displaying whether a failed login...

in koel/koel

✍️ Description Koel is lacking any form of rate limiting in the login form, thus allowing an attacker to brute force their way in. 🕵️‍♂️ Proof of Concept - Spin up an instance of Koel. - Open up burpsuite and capture a login request, send it to intruder, set your options and run. - 401 is shown...