CVE Catalog

CVE-2026-59101

MediumCVSS 5.8
Published: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.32%

24th percentile — higher than 24% of all known CVEs

Summary

AutoBangumi before version 3.2.8 contains a server-side request forgery (SSRF) vulnerability. Unauthenticated remote attackers can probe internal network services by supplying arbitrary host values to an unprotected setup endpoint.

Risk Assessment

An attacker can exploit this vulnerability to scan the organization's internal network, gaining information about available services and potentially bypassing perimeter defenses.

Recommendation

Update AutoBangumi to version 3.2.8 or later immediately. Additionally, restrict access to the /api/v1/setup/test-downloader endpoint to trusted IP addresses only.

Original NVD description (English source)

AutoBangumi before 3.2.8 contains a server-side request forgery (SSRF) vulnerability that allows unauthenticated remote attackers to probe internal network services by supplying arbitrary host values to an unprotected setup endpoint. Attackers can send requests to the POST /api/v1/setup/test-downloader endpoint during the initial setup window, causing the server to issue HTTP GET requests to internal or reserved addresses and leak information through echoed connection-error messages.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS