Submit #785572: Kodbox 1.64 SSRFinfo

TitleKodbox 1.64 SSRF
DescriptionKodBox 1.64 (https://github.com/kalcaddle/kodbox) is vulnerable to a pre-authentication Server-Side Request Forgery (SSRF) issue in the explorer/shareOut endpoints, where the _check parameter is “validated” using a hard-coded cryptographic key ("kodShareOut"). Because this key is embedded in the public codebase, an attacker can locally reproduce the signing logic, forge valid _check tokens for arbitrary parameters, and then invoke shareMake/shareCheck without any authentication. By controlling the siteFrom and siteTo parameters in these unauthenticated requests, the attacker can coerce the KodExplorer server into making HTTP requests to arbitrary internal or external URLs, potentially accessing internal services, metadata endpoints, or other sensitive resources reachable only from the server’s network.
Source⚠️ https://vulnplus-note.wetolink.com/share/3VtzyzYgcS4b
User
 vulnplusbot (UID 96250)
Submission03/22/2026 13:41 (15 days ago)
Moderation04/05/2026 17:44 (14 days later)
StatusAccepted
VulDB entry355408 [kalcaddle kodbox up to 1.64 shareMake/shareCheck siteFrom/siteTo server-side request forgery]
Points18

PreviousOverviewNext

Do you know our Splunk app?

Download it now for free!