CVE-2026-50552 is a Server-Side Request Forgery (SSRF) vulnerability in Koel, a free, open-source music streaming solution. The vulnerability affects Koel prior to version 9.7.1. The SSRF vulnerability is located in the radio station creation endpoint (POST /api/radio/stations). The url field validation rules are declared without the bail keyword, allowing the HasAudioContentType rule to execute even afte [truncated]
CVE-2026-47260 is a Server-Side Request Forgery (SSRF) vulnerability in Koel, a free, open-source music streaming solution. The vulnerability allows attackers to access internal services by exploiting the podcast feed URL validation mechanism. Koel validates the podcast feed URL via the SafeUrl rule (DNS resolution + public IP check), but fails to validate individual episode enclosure URLs extracted from [truncated]
