CVE-2026-5618

A vulnerability was detected in kalcaddle kodbox up to 1.64. This affects an unknown function of the component shareMake/shareCheck. Performing a manipulation of the argument siteFrom/siteTo results in server-side request forgery. The attack is possible to be carried out remotely. The complexity of an attack is rather high. The exploitability is reported as difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS v3 5.6 MEDIUM
CVSS v2.0 5.1 MEDIUM

5.6^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.2 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

5.1^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:H/Au:N/C:P/I:P/A:P

Exploitability : 4.9 / Impact : 6.4

Access Vector NETWORK

Access Complexity HIGH

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://vuldb.com/submit/785572
https://vuldb.com/vuln/355408
https://vuldb.com/vuln/355408/cti
https://vulnplus-note.wetolink.com/share/3VtzyzYgcS4b

Configurations

No configuration.

History

06 Apr 2026, 04:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-06 04:16

Updated : 2026-06-17 10:59

NVD link : CVE-2026-5618

Mitre link : CVE-2026-5618

CVE.ORG link : CVE-2026-5618

JSON object : View

Products Affected

No product.

CWE

CWE-918

Server-Side Request Forgery (SSRF)

{"id": "CVE-2026-5618", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-5618", "role": "CISA Coordinator", "options": [{"exploitation": "poc"}, {"automatable": "no"}, {"technicalImpact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-06T15:01:55.554157Z"}}], "cvssMetricV2": [{"type": "Secondary", "source": "cna@vuldb.com", "cvssData": {"version": "2.0", "baseScore": 5.1, "accessVector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "HIGH", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 4.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Secondary", "source": "cna@vuldb.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 2.2}], "cvssMetricV40": [{"type": "Secondary", "source": "cna@vuldb.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 2.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "PROOF_OF_CONCEPT", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "affected": [{"source": "cna@vuldb.com", "affectedData": [{"vendor": "kalcaddle", "modules": ["shareMake/shareCheck"], "product": "kodbox", "versions": [{"status": "affected", "version": "1.0"}, {"status": "affected", "version": "1.1"}, {"status": "affected", "version": "1.2"}, {"status": "affected", "version": "1.3"}, {"status": "affected", "version": "1.4"}, {"status": "affected", "version": "1.5"}, {"status": "affected", "version": "1.6"}, {"status": "affected", "version": "1.7"}, {"status": "affected", "version": "1.8"}, {"status": "affected", "version": "1.9"}, {"status": "affected", "version": "1.10"}, {"status": "affected", "version": "1.11"}, {"status": "affected", "version": "1.12"}, {"status": "affected", "version": "1.13"}, {"status": "affected", "version": "1.14"}, {"status": "affected", "version": "1.15"}, {"status": "affected", "version": "1.16"}, {"status": "affected", "version": "1.17"}, {"status": "affected", "version": "1.18"}, {"status": "affected", "version": "1.19"}, {"status": "affected", "version": "1.20"}, {"status": "affected", "version": "1.21"}, {"status": "affected", "version": "1.22"}, {"status": "affected", "version": "1.23"}, {"status": "affected", "version": "1.24"}, {"status": "affected", "version": "1.25"}, {"status": "affected", "version": "1.26"}, {"status": "affected", "version": "1.27"}, {"status": "affected", "version": "1.28"}, {"status": "affected", "version": "1.29"}, {"status": "affected", "version": "1.30"}, {"status": "affected", "version": "1.31"}, {"status": "affected", "version": "1.32"}, {"status": "affected", "version": "1.33"}, {"status": "affected", "version": "1.34"}, {"status": "affected", "version": "1.35"}, {"status": "affected", "version": "1.36"}, {"status": "affected", "version": "1.37"}, {"status": "affected", "version": "1.38"}, {"status": "affected", "version": "1.39"}, {"status": "affected", "version": "1.40"}, {"status": "affected", "version": "1.41"}, {"status": "affected", "version": "1.42"}, {"status": "affected", "version": "1.43"}, {"status": "affected", "version": "1.44"}, {"status": "affected", "version": "1.45"}, {"status": "affected", "version": "1.46"}, {"status": "affected", "version": "1.47"}, {"status": "affected", "version": "1.48"}, {"status": "affected", "version": "1.49"}, {"status": "affected", "version": "1.50"}, {"status": "affected", "version": "1.51"}, {"status": "affected", "version": "1.52"}, {"status": "affected", "version": "1.53"}, {"status": "affected", "version": "1.54"}, {"status": "affected", "version": "1.55"}, {"status": "affected", "version": "1.56"}, {"status": "affected", "version": "1.57"}, {"status": "affected", "version": "1.58"}, {"status": "affected", "version": "1.59"}, {"status": "affected", "version": "1.60"}, {"status": "affected", "version": "1.61"}, {"status": "affected", "version": "1.62"}, {"status": "affected", "version": "1.63"}, {"status": "affected", "version": "1.64"}]}]}], "published": "2026-04-06T04:16:14.050", "references": [{"url": "https://vuldb.com/submit/785572", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/vuln/355408", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/vuln/355408/cti", "source": "cna@vuldb.com"}, {"url": "https://vulnplus-note.wetolink.com/share/3VtzyzYgcS4b", "source": "cna@vuldb.com"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "cna@vuldb.com", "description": [{"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in kalcaddle kodbox up to 1.64. This affects an unknown function of the component shareMake/shareCheck. Performing a manipulation of the argument siteFrom/siteTo results in server-side request forgery. The attack is possible to be carried out remotely. The complexity of an attack is rather high. The exploitability is reported as difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "lastModified": "2026-06-17T10:59:23.130", "sourceIdentifier": "cna@vuldb.com"}