CVE-2026-47170

Source
https://cve.org/CVERecord?id=CVE-2026-47170
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-47170.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-47170
Aliases
  • GHSA-x24v-76hr-989r
Published
2026-06-11T18:38:46.120Z
Modified
2026-07-08T08:10:14.052236833Z
Severity
  • 7.7 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CVSS Calculator
Summary
Garlic-Hub: SSRF vulnerability in uploadFromUrl endpoint
Details

Garlic-Hub manages digital signage network — devices, content, and playlists — from a single self-hosted interface. Prior to version 1.1, authenticated users can cause the server to issue arbitrary HTTP requests to internal services via the uploadFromUrl endpoint. This allows internal port scanning, service fingerprinting, and retrieval of internal HTTP responses which are stored in the publicly accessible media pool. This issue has been patched in version 1.1.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/47xxx/CVE-2026-47170.json",
    "cwe_ids": [
        "CWE-918"
    ],
    "cna_assigner": "GitHub_M",
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "fixed": "1.1"
                }
            ],
            "source": "AFFECTED_FIELD"
        }
    ]
}
References

Affected packages

Git / github.com/garlic-signage/garlic-hub

Affected ranges

Type
GIT
Repo
https://github.com/garlic-signage/garlic-hub
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": "REFERENCES"
}

Affected versions

v1.*
v1.0.0
v1.0.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-47170.json"