CVE-2026-7065 | BidingCC BuildingAI up to 26.0.1 Remote Upload API file-storage.service.ts uploadRemoteFile url server-side request forgery (Issue 110)

A vulnerability was found in BidingCC BuildingAI up to 26.0.1. It has been rated as critical. Impacted is the function uploadRemoteFile of the file packages/core/src/modules/upload/services/file-storage.service.ts of the component Remote Upload API. The manipulation of the argument url leads to server-side request forgery.

This vulnerability is traded as CVE-2026-7065. It is possible to initiate the attack remotely. Furthermore, there is an exploit available.

The project was informed of the problem early through an issue report but has not responded yet.