phanan/koel Security Advisories for v5.1.0 (8)
-
[MEDIUM] Koel: Server-Side Request Forgery (SSRF) in radio station creation due to missing validation bail
PKSA-69y7-vwnx-px15 CVE-2026-50552 GHSA-jr4p-4xjh-fwvw
Affected version: <=9.7.0
Reported by:
GitHub -
[HIGH] Koel: Incomplete fix for CVE-2026-47260 — systemic SSRF in podcast & radio fetch paths
PKSA-1qtf-pcfh-kb47 CVE-2026-54491 GHSA-6qvr-wjmv-v8mm
Affected version: <=9.7.0
Reported by:
GitHub -
[MEDIUM] Koel has SSRF through Authenticated Subsonic podcast feed URLs
PKSA-74sr-w83z-r28d GHSA-8q6q-m837-fv64
Affected version: <=9.6.0
Reported by:
GitHub -
[HIGH] Koel: Authenticated Full-Read SSRF via Subsonic Internet Radio Stations
PKSA-gv41-hnht-9yhw CVE-2026-54493 GHSA-6p96-cfg5-4vhp
Affected version: <=9.6.0
Reported by:
GitHub -
[MEDIUM] Koel: Authenticated Blind SSRF via Subsonic Podcast Channel Creation
PKSA-drvx-ht86-w4b7 CVE-2026-54492 GHSA-w79m-f3jx-779v
Affected version: <=9.6.0
Reported by:
GitHub -
[HIGH] Koel Vulnerable to SSRF via Podcast Episode Enclosure URLs
PKSA-bprq-tfgm-1hd2 CVE-2026-47260 GHSA-7j2f-6h2r-6cqc
Affected version: <=9.3.4
Reported by:
GitHub -
[HIGH] Improper rate limiting in Koel
PKSA-929f-gr4s-2fz1 CVE-2021-33563 GHSA-r37h-j483-cjjm
Affected version: <5.1.4
Reported by:
GitHub