CVE-2026-47170
7.7 HIGHGarlic-Hub manages digital signage network — devices, content, and playlists — from a single self-hosted interface
Published: 2026-06-11 · Last updated: 2026-06-11
Severity and scoring
- CVSS
- 7.7 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
- CWE
- CWE-918
Description
Garlic-Hub manages digital signage network — devices, content, and playlists — from a single self-hosted interface. Prior to version 1.1, authenticated users can cause the server to issue arbitrary HTTP requests to internal services via the uploadFromUrl endpoint. This allows internal port scanning, service fingerprinting, and retrieval of internal HTTP responses which are stored in the publicly accessible media pool. This issue has been patched in version 1.1.
Source: NVD
References
Related CVEs
Same CWE
- CVE-2026-53812 — OpenClaw before 2026.5.18 contains a server-side request forgery vulnerability in browser control that allows authenticated users to bypa... (7.7 HIGH)
- CVE-2026-53782 — Summarize before 0.17.0 contains a server-side request forgery vulnerability that allows attackers who control a podcast RSS feed to dire... (7.4 HIGH)
- CVE-2026-47157 — aiograpi is an asynchronous Instagram API for Python (6.5 MEDIUM)
- CVE-2026-46698 — Fediverse Embeds embeds fediverse posts on WordPress sites (5.3 MEDIUM)
- CVE-2026-46697 — Fediverse Embeds embeds fediverse posts on WordPress sites (7.5 HIGH)