vufind/vufind is vulnerable to Server-Side Request Forgery (SSRF). The vulnerability is due to improper input validation in the /Cover/Show route, allowing remote attackers to access internal HTTP servers and execute Cross-Site Scripting (XSS) attacks by proxying arbitrary URLs via the proxy GET parameter.