CVE-2026-54562 in CloudreveИнформация

Сводка

по MITRE • 15.07.2026

Cloudreve is a self-hosted file management and sharing system. Prior to 4.16.1, Cloudreve's remote download workflow accepts user-supplied URLs at POST /api/v4/workflow/download and passes them to the configured downloader without blocking loopback, localhost, IPv6 localhost, or redirect-to-loopback targets, allowing a non-admin user with remote download permission to fetch internal-only URLs and read the response after it is imported into the user's own files. This issue is fixed in version 4.16.1.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Ответственный

GitHub M

Резервировать

15.06.2026

Раскрытие

15.07.2026

Модерация

принято

Вход

VDB-379279

EPSS

0.00000

KEV

Нет

Деятельности

Очень низкий

Источники

Want to stay up to date on a daily basis?

Enable the mail alert feature now!