A vulnerability described as critical has been identified in Koel up to 9.3.4 . Affected by this issue is the function Http::sink of the component DNS Resolution Handler . Executing a manipulation can lead to server-side request forgery. This vulnerability is registered as CVE-2026-47260 . It is possible to launch the attack remotely. No exploit is available. Upgrading the affected component is recommended.