CVE-2021-33563

HIGH

Koel <5.1.4 - Info Disclosure

Title source: llm

Description

Koel before 5.1.4 lacks login throttling, lacks a password strength policy, and shows whether a failed login attempt had a valid username. This might make brute-force attacks easier.

References (2)

[Exploit, Issue Tracking, Third Party Advisory] https://huntr.dev/bounties/1-other-koel/koel/

[Third Party Advisory] https://github.com/koel/koel/releases/tag/v5.1.4

Scores

CVSS v3 7.5

EPSS 0.0012

EPSS Percentile 31.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-916

Status published

Products (2)

koel/koel < 5.1.4

phanan/koel 0 - 5.1.4Packagist

Published May 24, 2021

Tracked Since Feb 18, 2026