Tag
An authenticated user can exploit a Server-Side Request Forgery (SSRF) vulnerability, CVE-2026-54493, in Koel v9.6.0 via the Subsonic-compatible radio endpoints, which lack proper URL validation, allowing the server to fetch and return the body of internal network resources.