an ssrf in cloudreve through remote download

cve-2026-54562 let non-admin cloudreve users with remote download permission fetch loopback and internal-only urls, then read the imported response body from their own files