{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40089", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-09T00:39:12.206Z", "datePublished": "2026-04-09T19:43:09.606Z", "dateUpdated": "2026-04-13T20:20:37.737Z"}, "containers": {"cna": {"title": "Sonicverse has Server-Side Request Forgery via user-controlled URLs in dashboard API client", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/sonicverse-eu/audiostreaming-stack/security/advisories/GHSA-8vvj-7f7r-7v48", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/sonicverse-eu/audiostreaming-stack/security/advisories/GHSA-8vvj-7f7r-7v48"}], "affected": [{"vendor": "sonicverse-eu", "product": "audiostreaming-stack", "versions": [{"version": "< cb1ddbacafcb441549fe87d3eeabdb6a085325e4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T19:43:09.606Z"}, "descriptions": [{"lang": "en", "value": "Sonicverse is a Self-hosted Docker Compose stack for live radio streaming. The Sonicverse Radio Audio Streaming Stack dashboard contains a Server-Side Request Forgery (SSRF) vulnerability in its API client (apps/dashboard/lib/api.ts). Installations created using the provided install.sh script (including the one\u2011liner bash <(curl -fsSL https://sonicverse.short.gy/install-audiostack)) are affected. In these deployments, the dashboard accepts user-controlled URLs and passes them directly to a server-side HTTP client without sufficient validation. An authenticated operator can abuse this to make arbitrary HTTP requests from the dashboard backend to internal or external systems. This vulnerability is fixed with commit cb1ddbacafcb441549fe87d3eeabdb6a085325e4."}], "source": {"advisory": "GHSA-8vvj-7f7r-7v48", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T20:20:25.287768Z", "id": "CVE-2026-40089", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T20:20:37.737Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40089", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-13T20:20:25.287768Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T20:20:33.688Z"}}], "cna": {"title": "Sonicverse has Server-Side Request Forgery via user-controlled URLs in dashboard API client", "source": {"advisory": "GHSA-8vvj-7f7r-7v48", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "sonicverse-eu", "product": "audiostreaming-stack", "versions": [{"status": "affected", "version": "< cb1ddbacafcb441549fe87d3eeabdb6a085325e4"}]}], "references": [{"url": "https://github.com/sonicverse-eu/audiostreaming-stack/security/advisories/GHSA-8vvj-7f7r-7v48", "name": "https://github.com/sonicverse-eu/audiostreaming-stack/security/advisories/GHSA-8vvj-7f7r-7v48", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Sonicverse is a Self-hosted Docker Compose stack for live radio streaming. The Sonicverse Radio Audio Streaming Stack dashboard contains a Server-Side Request Forgery (SSRF) vulnerability in its API client (apps/dashboard/lib/api.ts). Installations created using the provided install.sh script (including the one\u2011liner bash <(curl -fsSL https://sonicverse.short.gy/install-audiostack)) are affected. In these deployments, the dashboard accepts user-controlled URLs and passes them directly to a server-side HTTP client without sufficient validation. An authenticated operator can abuse this to make arbitrary HTTP requests from the dashboard backend to internal or external systems. This vulnerability is fixed with commit cb1ddbacafcb441549fe87d3eeabdb6a085325e4."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T19:43:09.606Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40089", "state": "PUBLISHED", "dateUpdated": "2026-04-13T20:20:37.737Z", "dateReserved": "2026-04-09T00:39:12.206Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-09T19:43:09.606Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Sonicverse is a Self-hosted Docker Compose stack for live radio streaming. The Sonicverse Radio Audio Streaming Stack dashboard contains a Server-Side Request Forgery (SSRF) vulnerability in its API client (apps/dashboard/lib/api.ts). Installations created using the provided install.sh script (including the one\u2011liner bash <(curl -fsSL https://sonicverse.short.gy/install-audiostack)) are affected. In these deployments, the dashboard accepts user-controlled URLs and passes them directly to a server-side HTTP client without sufficient validation. An authenticated operator can abuse this to make arbitrary HTTP requests from the dashboard backend to internal or external systems. This vulnerability is fixed with commit cb1ddbacafcb441549fe87d3eeabdb6a085325e4."}], "id": "CVE-2026-40089", "lastModified": "2026-04-13T15:02:27.760", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-09T20:16:27.743", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/sonicverse-eu/audiostreaming-stack/security/advisories/GHSA-8vvj-7f7r-7v48"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[0,cb1ddbacafcb441549fe87d3eeabdb6a085325e4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "audiostreaming-stack", "source": "cna", "vendor": "sonicverse-eu"}, "product": "audiostreaming-stack", "vendor": "sonicverse-eu"}], "analysis": {"en": {"generated_at": "2026-04-09T21:22:06.891958+00:00", "value": {"mitigation_remediation": ["Update the code base to include the commit that fixes the SSRF (cb1ddbacafcb441549fe87d3eeabdb6a085325e4) or deploy the latest release of the Sonicverse stack after the fix.", "Re\u2011run the install.sh script from an updated source that includes the current fix.", "If an immediate update is not possible, restrict dashboard access to trusted administrators and monitor outbound HTTP requests for anomalous activity."], "summary": {"action": "Immediate Patch", "impact": "Server\u2011Side Request Forgery"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Sonicverse Self\u2011Hosted Docker Compose radio streaming stack (sonicverse-eu:audiostreaming-stack). All installations created with the default install.sh script\u2014including the one\u2011liner bash <(curl -fsSL https://sonicverse.short.gy/install-audiostack)\u2014are vulnerable. No specific version numbers are provided, so any deployment built from the released source prior to the commit that fixes the issue is susceptible.", "description_and_impact": "The audit reveals that the Sonicverse dashboard\u2019s API client accepts user\u2011controlled URLs and forwards them directly to a server\u2011side HTTP client without validation, creating a Server\u2011Side Request Forgery flaw. An attacker who can authenticate as a dashboard operator can instruct the backend to send arbitrary HTTP or HTTPS requests to any internal or external host, potentially leaking sensitive data, exfiltrating files, or enabling pivoting within the network. This can compromise confidentiality, integrity, and availability of internal services that the compromised dashboard can reach.", "risk_and_exploitability": "The CVSS v3 score of 9.9 indicates a critical severity with high exploitation weights. Although the EPSS score is unavailable, the lack of presence in the CISA KEV catalog suggests no publicly documented exploit yet. The flaw requires the attacker to have authenticated driver of the dashboard, implying manual over-the-wire actions rather than remote code execution via unauthenticated access. Nevertheless, once authenticated, the attacker can exfiltrate data or leverage the stack to reach other internal endpoints, making the risk significant for exposed or poorly secured deployments."}}}}, "created": "2026-04-10T08:38:44.903259+00:00", "updated": "2026-04-10T09:29:28.156570+00:00", "vendors": ["sonicverse-eu", "sonicverse-eu$PRODUCT$audiostreaming-stack"]}