CVE-2026-47260

Koel is a free, open-source music streaming solution. Prior to version 9.3.5, Koel validates the podcast feed URL via the SafeUrl rule DNS resolution + public IP check, but the individual episode values extracted from the RSS XML are stored directly into the database without any SSRF validation...

PT-2026-45047

Name of the Vulnerable Software and Affected Versions Koel versions prior to 9.3.5 Description Koel fails to validate individual episode enclosure URLs extracted from RSS XML feeds, despite validating the main podcast feed URL. These unvalidated URLs are stored in the database and subsequently...