Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
12 vulnerabilities by LemmyNet
CVE-2026-42181 (GCVE-0-2026-42181)
Vulnerability from nvd – Published: 2026-05-08 19:26 – Updated: 2026-05-11 16:01
VLAI
Title
Lemmy: SSRF and internal image disclosure in post link metadata via unvalidated og:image
Summary
Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.19.18, Lemmy fetches metadata for user-supplied post URLs and, under the default StoreLinkPreviews image mode, downloads the preview image through local pict-rs. While the top-level page URL is checked against internal IP ranges, the extracted og:image URL is not subject to the same restriction. As a result, an authenticated low-privileged user can submit an attacker-controlled public page whose Open Graph image points to an internal image endpoint. Lemmy will fetch that internal image server-side and store a local thumbnail that can then be served back to users. This issue has been patched in version 0.19.18.
Severity
6.5 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/LemmyNet/lemmy/security/adviso… | x_refsource_CONFIRM |
| https://github.com/LemmyNet/lemmy/releases/tag/0.19.18 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42181",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T16:00:57.536211Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T16:01:01.124Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/LemmyNet/lemmy/security/advisories/GHSA-h6hf-9846-xwrq"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "lemmy",
"vendor": "LemmyNet",
"versions": [
{
"status": "affected",
"version": "\u003c 0.19.18"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.19.18, Lemmy fetches metadata for user-supplied post URLs and, under the default StoreLinkPreviews image mode, downloads the preview image through local pict-rs. While the top-level page URL is checked against internal IP ranges, the extracted og:image URL is not subject to the same restriction. As a result, an authenticated low-privileged user can submit an attacker-controlled public page whose Open Graph image points to an internal image endpoint. Lemmy will fetch that internal image server-side and store a local thumbnail that can then be served back to users. This issue has been patched in version 0.19.18."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T19:26:07.763Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/LemmyNet/lemmy/security/advisories/GHSA-h6hf-9846-xwrq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/LemmyNet/lemmy/security/advisories/GHSA-h6hf-9846-xwrq"
},
{
"name": "https://github.com/LemmyNet/lemmy/releases/tag/0.19.18",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/LemmyNet/lemmy/releases/tag/0.19.18"
}
],
"source": {
"advisory": "GHSA-h6hf-9846-xwrq",
"discovery": "UNKNOWN"
},
"title": "Lemmy: SSRF and internal image disclosure in post link metadata via unvalidated og:image"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42181",
"datePublished": "2026-05-08T19:26:07.763Z",
"dateReserved": "2026-04-25T01:53:21.582Z",
"dateUpdated": "2026-05-11T16:01:01.124Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42180 (GCVE-0-2026-42180)
Vulnerability from nvd – Published: 2026-05-08 19:29 – Updated: 2026-05-13 17:18
VLAI
Title
Lemmy: SSRF in /api/v3/post via Webmention dispatch
Summary
Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.19.18, Lemmy allows an authenticated low-privileged user to create a link post through POST /api/v3/post. When a post is created in a public community, the backend asynchronously sends a Webmention to the attacker-controlled link target. The submitted URL is checked for syntax and scheme, but the audited code path does not reject loopback, private, or link-local destinations before the Webmention request is issued. This lets a normal user trigger server-side HTTP requests toward internal services. This issue has been patched in version 0.19.18.
Severity
6.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/LemmyNet/lemmy/security/adviso… | x_refsource_CONFIRM |
| https://github.com/LemmyNet/lemmy/releases/tag/0.19.18 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42180",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T17:17:59.971593Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T17:18:23.284Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/LemmyNet/lemmy/security/advisories/GHSA-3jvj-v6w2-h948"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "lemmy",
"vendor": "LemmyNet",
"versions": [
{
"status": "affected",
"version": "\u003c 0.19.18"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.19.18, Lemmy allows an authenticated low-privileged user to create a link post through POST /api/v3/post. When a post is created in a public community, the backend asynchronously sends a Webmention to the attacker-controlled link target. The submitted URL is checked for syntax and scheme, but the audited code path does not reject loopback, private, or link-local destinations before the Webmention request is issued. This lets a normal user trigger server-side HTTP requests toward internal services. This issue has been patched in version 0.19.18."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T19:29:04.132Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/LemmyNet/lemmy/security/advisories/GHSA-3jvj-v6w2-h948",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/LemmyNet/lemmy/security/advisories/GHSA-3jvj-v6w2-h948"
},
{
"name": "https://github.com/LemmyNet/lemmy/releases/tag/0.19.18",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/LemmyNet/lemmy/releases/tag/0.19.18"
}
],
"source": {
"advisory": "GHSA-3jvj-v6w2-h948",
"discovery": "UNKNOWN"
},
"title": "Lemmy: SSRF in /api/v3/post via Webmention dispatch"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42180",
"datePublished": "2026-05-08T19:29:04.132Z",
"dateReserved": "2026-04-25T01:53:21.582Z",
"dateUpdated": "2026-05-13T17:18:23.284Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33693 (GCVE-0-2026-33693)
Vulnerability from nvd – Published: 2026-03-27 00:03 – Updated: 2026-03-30 11:51
VLAI
Title
Lemmy's Activitypub-Federation has SSRF via 0.0.0.0 bypass in activitypub-federation-rust v4_is_invalid()
Summary
Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.7.0-beta.9, the `v4_is_invalid()` function in `activitypub-federation-rust` (`src/utils.rs`) does not check for `Ipv4Addr::UNSPECIFIED` (0.0.0.0). An unauthenticated attacker controlling a remote domain can point it to 0.0.0.0, bypass the SSRF protection introduced by the fix for CVE-2025-25194 (GHSA-7723-35v7-qcxw), and reach localhost services on the target server. Version 0.7.0-beta.9 patches the issue.
Severity
6.5 (Medium)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/LemmyNet/lemmy/security/adviso… | x_refsource_CONFIRM |
| https://github.com/LemmyNet/activitypub-federatio… | x_refsource_MISC |
| https://github.com/advisories/GHSA-7723-35v7-qcxw | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33693",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-30T11:50:59.456186Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-30T11:51:10.425Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "lemmy",
"vendor": "LemmyNet",
"versions": [
{
"status": "affected",
"version": "\u003c 0.7.0-beta.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.7.0-beta.9, the `v4_is_invalid()` function in `activitypub-federation-rust` (`src/utils.rs`) does not check for `Ipv4Addr::UNSPECIFIED` (0.0.0.0). An unauthenticated attacker controlling a remote domain can point it to 0.0.0.0, bypass the SSRF protection introduced by the fix for CVE-2025-25194 (GHSA-7723-35v7-qcxw), and reach localhost services on the target server. Version 0.7.0-beta.9 patches the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T00:03:35.946Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/LemmyNet/lemmy/security/advisories/GHSA-q537-8fr5-cw35",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/LemmyNet/lemmy/security/advisories/GHSA-q537-8fr5-cw35"
},
{
"name": "https://github.com/LemmyNet/activitypub-federation-rust/commit/4ae8532b17bc35755240b7f55d4a5b7665351599",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/LemmyNet/activitypub-federation-rust/commit/4ae8532b17bc35755240b7f55d4a5b7665351599"
},
{
"name": "https://github.com/advisories/GHSA-7723-35v7-qcxw",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/advisories/GHSA-7723-35v7-qcxw"
}
],
"source": {
"advisory": "GHSA-q537-8fr5-cw35",
"discovery": "UNKNOWN"
},
"title": "Lemmy\u0027s Activitypub-Federation has SSRF via 0.0.0.0 bypass in activitypub-federation-rust v4_is_invalid()"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33693",
"datePublished": "2026-03-27T00:03:35.946Z",
"dateReserved": "2026-03-23T16:34:59.932Z",
"dateUpdated": "2026-03-30T11:51:10.425Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-29178 (GCVE-0-2026-29178)
Vulnerability from nvd – Published: 2026-03-06 17:56 – Updated: 2026-03-06 18:33
VLAI
Title
Lemmy: Unauthenticated SSRF via file_type query parameter injection in image endpoint
Summary
Lemmy, a link aggregator and forum for the fediverse, is vulnerable to server-side request forgery via a dependency on activitypub_federation, a framework for ActivityPub federation in Rust. Prior to version 0.19.16, the GET /api/v4/image/{filename} endpoint is vulnerable to unauthenticated SSRF through parameter injection in the file_type query parameter. An attacker can inject arbitrary query parameters into the internal request to pict-rs, including the proxy parameter which causes pict-rs to fetch arbitrary URLs. This issue has been patched in version 0.19.16.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/LemmyNet/lemmy/security/adviso… | x_refsource_CONFIRM |
| https://github.com/LemmyNet/lemmy/commit/f47a03f5… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-29178",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-06T18:33:04.955735Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T18:33:08.993Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/LemmyNet/lemmy/security/advisories/GHSA-jvxv-2jjp-jxc3"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "lemmy",
"vendor": "LemmyNet",
"versions": [
{
"status": "affected",
"version": "\u003c 0.19.16"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Lemmy, a link aggregator and forum for the fediverse, is vulnerable to server-side request forgery via a dependency on activitypub_federation, a framework for ActivityPub federation in Rust. Prior to version 0.19.16, the GET /api/v4/image/{filename} endpoint is vulnerable to unauthenticated SSRF through parameter injection in the file_type query parameter. An attacker can inject arbitrary query parameters into the internal request to pict-rs, including the proxy parameter which causes pict-rs to fetch arbitrary URLs. This issue has been patched in version 0.19.16."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T17:56:09.378Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/LemmyNet/lemmy/security/advisories/GHSA-jvxv-2jjp-jxc3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/LemmyNet/lemmy/security/advisories/GHSA-jvxv-2jjp-jxc3"
},
{
"name": "https://github.com/LemmyNet/lemmy/commit/f47a03f56d1797bceab5f34b6f624c91cecd5871",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/LemmyNet/lemmy/commit/f47a03f56d1797bceab5f34b6f624c91cecd5871"
}
],
"source": {
"advisory": "GHSA-jvxv-2jjp-jxc3",
"discovery": "UNKNOWN"
},
"title": "Lemmy: Unauthenticated SSRF via file_type query parameter injection in image endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-29178",
"datePublished": "2026-03-06T17:56:09.378Z",
"dateReserved": "2026-03-04T14:44:00.713Z",
"dateUpdated": "2026-03-06T18:33:08.993Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-25194 (GCVE-0-2025-25194)
Vulnerability from nvd – Published: 2025-02-10 22:14 – Updated: 2025-02-11 15:19
VLAI
Title
Server-Side Request Forgery (SSRF) in activitypub_federation
Summary
Lemmy, a link aggregator and forum for the fediverse, is vulnerable to server-side request forgery via a dependency on activitypub_federation, a framework for ActivityPub federation in Rust. This vulnerability, which is present in versions 0.6.2 and prior of activitypub_federation and versions 0.19.8 and prior of Lemmy, allows a user to bypass any predefined hardcoded URL path or security anti-Localhost mechanism and perform an arbitrary GET request to any Host, Port and URL using a Webfinger Request. As of time of publication, a fix has not been made available.
Severity
4 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/LemmyNet/lemmy/security/adviso… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-25194",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-11T15:19:28.876838Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-11T15:19:46.586Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "lemmy",
"vendor": "LemmyNet",
"versions": [
{
"status": "affected",
"version": "\u003c= 0.19.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Lemmy, a link aggregator and forum for the fediverse, is vulnerable to server-side request forgery via a dependency on activitypub_federation, a framework for ActivityPub federation in Rust. This vulnerability, which is present in versions 0.6.2 and prior of activitypub_federation and versions 0.19.8 and prior of Lemmy, allows a user to bypass any predefined hardcoded URL path or security anti-Localhost mechanism and perform an arbitrary GET request to any Host, Port and URL using a Webfinger Request. As of time of publication, a fix has not been made available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-10T22:14:32.302Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/LemmyNet/lemmy/security/advisories/GHSA-7723-35v7-qcxw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/LemmyNet/lemmy/security/advisories/GHSA-7723-35v7-qcxw"
}
],
"source": {
"advisory": "GHSA-7723-35v7-qcxw",
"discovery": "UNKNOWN"
},
"title": "Server-Side Request Forgery (SSRF) in activitypub_federation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-25194",
"datePublished": "2025-02-10T22:14:32.302Z",
"dateReserved": "2025-02-03T19:30:53.400Z",
"dateUpdated": "2025-02-11T15:19:46.586Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-23649 (GCVE-0-2024-23649)
Vulnerability from nvd – Published: 2024-01-24 18:09 – Updated: 2025-05-30 14:16
VLAI
Title
Any authenticated user may obtain private message details from other users on the same instance
Summary
Lemmy is a link aggregator and forum for the fediverse. Starting in version 0.17.0 and prior to version 0.19.1, users can report private messages, even when they're neither sender nor recipient of the message. The API response to creating a private message report contains the private message itself, which means any user can just iterate over message ids to (loudly) obtain all private messages of an instance. A user with instance admin privileges can also abuse this if the private message is removed from the response, as they're able to see the resulting reports.
Creating a private message report by POSTing to `/api/v3/private_message/report` does not validate whether the reporter is the recipient of the message. lemmy-ui does not allow the sender to report the message; the API method should likely be restricted to accessible to recipients only. The API response when creating a report contains the `private_message_report_view` with all the details of the report, including the private message that has been reported:
Any authenticated user can obtain arbitrary (untargeted) private message contents. Privileges required depend on the instance configuration; when registrations are enabled without application system, the privileges required are practically none. When registration applications are required, privileges required could be considered low, but this assessment heavily varies by instance.
Version 0.19.1 contains a patch for this issue. A workaround is available. If an update to a fixed Lemmy version is not immediately possible, the API route can be blocked in the reverse proxy. This will prevent anyone from reporting private messages, but it will also prevent exploitation before the update has been applied.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/LemmyNet/lemmy/security/adviso… | x_refsource_CONFIRM |
| https://github.com/LemmyNet/lemmy/commit/bc32b408… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:06:25.335Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/LemmyNet/lemmy/security/advisories/GHSA-r64r-5h43-26qv",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/LemmyNet/lemmy/security/advisories/GHSA-r64r-5h43-26qv"
},
{
"name": "https://github.com/LemmyNet/lemmy/commit/bc32b408b523b9b64aa57b8e47748f96cce0dae5",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/LemmyNet/lemmy/commit/bc32b408b523b9b64aa57b8e47748f96cce0dae5"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-23649",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T15:42:46.679129Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-30T14:16:25.819Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "lemmy",
"vendor": "LemmyNet",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.17.0, \u003c 0.19.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Lemmy is a link aggregator and forum for the fediverse. Starting in version 0.17.0 and prior to version 0.19.1, users can report private messages, even when they\u0027re neither sender nor recipient of the message. The API response to creating a private message report contains the private message itself, which means any user can just iterate over message ids to (loudly) obtain all private messages of an instance. A user with instance admin privileges can also abuse this if the private message is removed from the response, as they\u0027re able to see the resulting reports.\n\nCreating a private message report by POSTing to `/api/v3/private_message/report` does not validate whether the reporter is the recipient of the message. lemmy-ui does not allow the sender to report the message; the API method should likely be restricted to accessible to recipients only. The API response when creating a report contains the `private_message_report_view` with all the details of the report, including the private message that has been reported:\n\nAny authenticated user can obtain arbitrary (untargeted) private message contents. Privileges required depend on the instance configuration; when registrations are enabled without application system, the privileges required are practically none. When registration applications are required, privileges required could be considered low, but this assessment heavily varies by instance.\n\nVersion 0.19.1 contains a patch for this issue. A workaround is available. If an update to a fixed Lemmy version is not immediately possible, the API route can be blocked in the reverse proxy. This will prevent anyone from reporting private messages, but it will also prevent exploitation before the update has been applied."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-24T18:09:30.401Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/LemmyNet/lemmy/security/advisories/GHSA-r64r-5h43-26qv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/LemmyNet/lemmy/security/advisories/GHSA-r64r-5h43-26qv"
},
{
"name": "https://github.com/LemmyNet/lemmy/commit/bc32b408b523b9b64aa57b8e47748f96cce0dae5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/LemmyNet/lemmy/commit/bc32b408b523b9b64aa57b8e47748f96cce0dae5"
}
],
"source": {
"advisory": "GHSA-r64r-5h43-26qv",
"discovery": "UNKNOWN"
},
"title": "Any authenticated user may obtain private message details from other users on the same instance"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-23649",
"datePublished": "2024-01-24T18:09:30.401Z",
"dateReserved": "2024-01-19T00:18:53.234Z",
"dateUpdated": "2025-05-30T14:16:25.819Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-42180 (GCVE-0-2026-42180)
Vulnerability from cvelistv5 – Published: 2026-05-08 19:29 – Updated: 2026-05-13 17:18
VLAI
Title
Lemmy: SSRF in /api/v3/post via Webmention dispatch
Summary
Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.19.18, Lemmy allows an authenticated low-privileged user to create a link post through POST /api/v3/post. When a post is created in a public community, the backend asynchronously sends a Webmention to the attacker-controlled link target. The submitted URL is checked for syntax and scheme, but the audited code path does not reject loopback, private, or link-local destinations before the Webmention request is issued. This lets a normal user trigger server-side HTTP requests toward internal services. This issue has been patched in version 0.19.18.
Severity
6.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/LemmyNet/lemmy/security/adviso… | x_refsource_CONFIRM |
| https://github.com/LemmyNet/lemmy/releases/tag/0.19.18 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42180",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T17:17:59.971593Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T17:18:23.284Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/LemmyNet/lemmy/security/advisories/GHSA-3jvj-v6w2-h948"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "lemmy",
"vendor": "LemmyNet",
"versions": [
{
"status": "affected",
"version": "\u003c 0.19.18"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.19.18, Lemmy allows an authenticated low-privileged user to create a link post through POST /api/v3/post. When a post is created in a public community, the backend asynchronously sends a Webmention to the attacker-controlled link target. The submitted URL is checked for syntax and scheme, but the audited code path does not reject loopback, private, or link-local destinations before the Webmention request is issued. This lets a normal user trigger server-side HTTP requests toward internal services. This issue has been patched in version 0.19.18."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T19:29:04.132Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/LemmyNet/lemmy/security/advisories/GHSA-3jvj-v6w2-h948",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/LemmyNet/lemmy/security/advisories/GHSA-3jvj-v6w2-h948"
},
{
"name": "https://github.com/LemmyNet/lemmy/releases/tag/0.19.18",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/LemmyNet/lemmy/releases/tag/0.19.18"
}
],
"source": {
"advisory": "GHSA-3jvj-v6w2-h948",
"discovery": "UNKNOWN"
},
"title": "Lemmy: SSRF in /api/v3/post via Webmention dispatch"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42180",
"datePublished": "2026-05-08T19:29:04.132Z",
"dateReserved": "2026-04-25T01:53:21.582Z",
"dateUpdated": "2026-05-13T17:18:23.284Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42181 (GCVE-0-2026-42181)
Vulnerability from cvelistv5 – Published: 2026-05-08 19:26 – Updated: 2026-05-11 16:01
VLAI
Title
Lemmy: SSRF and internal image disclosure in post link metadata via unvalidated og:image
Summary
Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.19.18, Lemmy fetches metadata for user-supplied post URLs and, under the default StoreLinkPreviews image mode, downloads the preview image through local pict-rs. While the top-level page URL is checked against internal IP ranges, the extracted og:image URL is not subject to the same restriction. As a result, an authenticated low-privileged user can submit an attacker-controlled public page whose Open Graph image points to an internal image endpoint. Lemmy will fetch that internal image server-side and store a local thumbnail that can then be served back to users. This issue has been patched in version 0.19.18.
Severity
6.5 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/LemmyNet/lemmy/security/adviso… | x_refsource_CONFIRM |
| https://github.com/LemmyNet/lemmy/releases/tag/0.19.18 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42181",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T16:00:57.536211Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T16:01:01.124Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/LemmyNet/lemmy/security/advisories/GHSA-h6hf-9846-xwrq"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "lemmy",
"vendor": "LemmyNet",
"versions": [
{
"status": "affected",
"version": "\u003c 0.19.18"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.19.18, Lemmy fetches metadata for user-supplied post URLs and, under the default StoreLinkPreviews image mode, downloads the preview image through local pict-rs. While the top-level page URL is checked against internal IP ranges, the extracted og:image URL is not subject to the same restriction. As a result, an authenticated low-privileged user can submit an attacker-controlled public page whose Open Graph image points to an internal image endpoint. Lemmy will fetch that internal image server-side and store a local thumbnail that can then be served back to users. This issue has been patched in version 0.19.18."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T19:26:07.763Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/LemmyNet/lemmy/security/advisories/GHSA-h6hf-9846-xwrq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/LemmyNet/lemmy/security/advisories/GHSA-h6hf-9846-xwrq"
},
{
"name": "https://github.com/LemmyNet/lemmy/releases/tag/0.19.18",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/LemmyNet/lemmy/releases/tag/0.19.18"
}
],
"source": {
"advisory": "GHSA-h6hf-9846-xwrq",
"discovery": "UNKNOWN"
},
"title": "Lemmy: SSRF and internal image disclosure in post link metadata via unvalidated og:image"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42181",
"datePublished": "2026-05-08T19:26:07.763Z",
"dateReserved": "2026-04-25T01:53:21.582Z",
"dateUpdated": "2026-05-11T16:01:01.124Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33693 (GCVE-0-2026-33693)
Vulnerability from cvelistv5 – Published: 2026-03-27 00:03 – Updated: 2026-03-30 11:51
VLAI
Title
Lemmy's Activitypub-Federation has SSRF via 0.0.0.0 bypass in activitypub-federation-rust v4_is_invalid()
Summary
Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.7.0-beta.9, the `v4_is_invalid()` function in `activitypub-federation-rust` (`src/utils.rs`) does not check for `Ipv4Addr::UNSPECIFIED` (0.0.0.0). An unauthenticated attacker controlling a remote domain can point it to 0.0.0.0, bypass the SSRF protection introduced by the fix for CVE-2025-25194 (GHSA-7723-35v7-qcxw), and reach localhost services on the target server. Version 0.7.0-beta.9 patches the issue.
Severity
6.5 (Medium)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/LemmyNet/lemmy/security/adviso… | x_refsource_CONFIRM |
| https://github.com/LemmyNet/activitypub-federatio… | x_refsource_MISC |
| https://github.com/advisories/GHSA-7723-35v7-qcxw | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33693",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-30T11:50:59.456186Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-30T11:51:10.425Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "lemmy",
"vendor": "LemmyNet",
"versions": [
{
"status": "affected",
"version": "\u003c 0.7.0-beta.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.7.0-beta.9, the `v4_is_invalid()` function in `activitypub-federation-rust` (`src/utils.rs`) does not check for `Ipv4Addr::UNSPECIFIED` (0.0.0.0). An unauthenticated attacker controlling a remote domain can point it to 0.0.0.0, bypass the SSRF protection introduced by the fix for CVE-2025-25194 (GHSA-7723-35v7-qcxw), and reach localhost services on the target server. Version 0.7.0-beta.9 patches the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T00:03:35.946Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/LemmyNet/lemmy/security/advisories/GHSA-q537-8fr5-cw35",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/LemmyNet/lemmy/security/advisories/GHSA-q537-8fr5-cw35"
},
{
"name": "https://github.com/LemmyNet/activitypub-federation-rust/commit/4ae8532b17bc35755240b7f55d4a5b7665351599",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/LemmyNet/activitypub-federation-rust/commit/4ae8532b17bc35755240b7f55d4a5b7665351599"
},
{
"name": "https://github.com/advisories/GHSA-7723-35v7-qcxw",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/advisories/GHSA-7723-35v7-qcxw"
}
],
"source": {
"advisory": "GHSA-q537-8fr5-cw35",
"discovery": "UNKNOWN"
},
"title": "Lemmy\u0027s Activitypub-Federation has SSRF via 0.0.0.0 bypass in activitypub-federation-rust v4_is_invalid()"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33693",
"datePublished": "2026-03-27T00:03:35.946Z",
"dateReserved": "2026-03-23T16:34:59.932Z",
"dateUpdated": "2026-03-30T11:51:10.425Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-29178 (GCVE-0-2026-29178)
Vulnerability from cvelistv5 – Published: 2026-03-06 17:56 – Updated: 2026-03-06 18:33
VLAI
Title
Lemmy: Unauthenticated SSRF via file_type query parameter injection in image endpoint
Summary
Lemmy, a link aggregator and forum for the fediverse, is vulnerable to server-side request forgery via a dependency on activitypub_federation, a framework for ActivityPub federation in Rust. Prior to version 0.19.16, the GET /api/v4/image/{filename} endpoint is vulnerable to unauthenticated SSRF through parameter injection in the file_type query parameter. An attacker can inject arbitrary query parameters into the internal request to pict-rs, including the proxy parameter which causes pict-rs to fetch arbitrary URLs. This issue has been patched in version 0.19.16.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/LemmyNet/lemmy/security/adviso… | x_refsource_CONFIRM |
| https://github.com/LemmyNet/lemmy/commit/f47a03f5… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-29178",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-06T18:33:04.955735Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T18:33:08.993Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/LemmyNet/lemmy/security/advisories/GHSA-jvxv-2jjp-jxc3"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "lemmy",
"vendor": "LemmyNet",
"versions": [
{
"status": "affected",
"version": "\u003c 0.19.16"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Lemmy, a link aggregator and forum for the fediverse, is vulnerable to server-side request forgery via a dependency on activitypub_federation, a framework for ActivityPub federation in Rust. Prior to version 0.19.16, the GET /api/v4/image/{filename} endpoint is vulnerable to unauthenticated SSRF through parameter injection in the file_type query parameter. An attacker can inject arbitrary query parameters into the internal request to pict-rs, including the proxy parameter which causes pict-rs to fetch arbitrary URLs. This issue has been patched in version 0.19.16."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T17:56:09.378Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/LemmyNet/lemmy/security/advisories/GHSA-jvxv-2jjp-jxc3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/LemmyNet/lemmy/security/advisories/GHSA-jvxv-2jjp-jxc3"
},
{
"name": "https://github.com/LemmyNet/lemmy/commit/f47a03f56d1797bceab5f34b6f624c91cecd5871",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/LemmyNet/lemmy/commit/f47a03f56d1797bceab5f34b6f624c91cecd5871"
}
],
"source": {
"advisory": "GHSA-jvxv-2jjp-jxc3",
"discovery": "UNKNOWN"
},
"title": "Lemmy: Unauthenticated SSRF via file_type query parameter injection in image endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-29178",
"datePublished": "2026-03-06T17:56:09.378Z",
"dateReserved": "2026-03-04T14:44:00.713Z",
"dateUpdated": "2026-03-06T18:33:08.993Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-25194 (GCVE-0-2025-25194)
Vulnerability from cvelistv5 – Published: 2025-02-10 22:14 – Updated: 2025-02-11 15:19
VLAI
Title
Server-Side Request Forgery (SSRF) in activitypub_federation
Summary
Lemmy, a link aggregator and forum for the fediverse, is vulnerable to server-side request forgery via a dependency on activitypub_federation, a framework for ActivityPub federation in Rust. This vulnerability, which is present in versions 0.6.2 and prior of activitypub_federation and versions 0.19.8 and prior of Lemmy, allows a user to bypass any predefined hardcoded URL path or security anti-Localhost mechanism and perform an arbitrary GET request to any Host, Port and URL using a Webfinger Request. As of time of publication, a fix has not been made available.
Severity
4 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/LemmyNet/lemmy/security/adviso… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-25194",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-11T15:19:28.876838Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-11T15:19:46.586Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "lemmy",
"vendor": "LemmyNet",
"versions": [
{
"status": "affected",
"version": "\u003c= 0.19.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Lemmy, a link aggregator and forum for the fediverse, is vulnerable to server-side request forgery via a dependency on activitypub_federation, a framework for ActivityPub federation in Rust. This vulnerability, which is present in versions 0.6.2 and prior of activitypub_federation and versions 0.19.8 and prior of Lemmy, allows a user to bypass any predefined hardcoded URL path or security anti-Localhost mechanism and perform an arbitrary GET request to any Host, Port and URL using a Webfinger Request. As of time of publication, a fix has not been made available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-10T22:14:32.302Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/LemmyNet/lemmy/security/advisories/GHSA-7723-35v7-qcxw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/LemmyNet/lemmy/security/advisories/GHSA-7723-35v7-qcxw"
}
],
"source": {
"advisory": "GHSA-7723-35v7-qcxw",
"discovery": "UNKNOWN"
},
"title": "Server-Side Request Forgery (SSRF) in activitypub_federation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-25194",
"datePublished": "2025-02-10T22:14:32.302Z",
"dateReserved": "2025-02-03T19:30:53.400Z",
"dateUpdated": "2025-02-11T15:19:46.586Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-23649 (GCVE-0-2024-23649)
Vulnerability from cvelistv5 – Published: 2024-01-24 18:09 – Updated: 2025-05-30 14:16
VLAI
Title
Any authenticated user may obtain private message details from other users on the same instance
Summary
Lemmy is a link aggregator and forum for the fediverse. Starting in version 0.17.0 and prior to version 0.19.1, users can report private messages, even when they're neither sender nor recipient of the message. The API response to creating a private message report contains the private message itself, which means any user can just iterate over message ids to (loudly) obtain all private messages of an instance. A user with instance admin privileges can also abuse this if the private message is removed from the response, as they're able to see the resulting reports.
Creating a private message report by POSTing to `/api/v3/private_message/report` does not validate whether the reporter is the recipient of the message. lemmy-ui does not allow the sender to report the message; the API method should likely be restricted to accessible to recipients only. The API response when creating a report contains the `private_message_report_view` with all the details of the report, including the private message that has been reported:
Any authenticated user can obtain arbitrary (untargeted) private message contents. Privileges required depend on the instance configuration; when registrations are enabled without application system, the privileges required are practically none. When registration applications are required, privileges required could be considered low, but this assessment heavily varies by instance.
Version 0.19.1 contains a patch for this issue. A workaround is available. If an update to a fixed Lemmy version is not immediately possible, the API route can be blocked in the reverse proxy. This will prevent anyone from reporting private messages, but it will also prevent exploitation before the update has been applied.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/LemmyNet/lemmy/security/adviso… | x_refsource_CONFIRM |
| https://github.com/LemmyNet/lemmy/commit/bc32b408… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:06:25.335Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/LemmyNet/lemmy/security/advisories/GHSA-r64r-5h43-26qv",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/LemmyNet/lemmy/security/advisories/GHSA-r64r-5h43-26qv"
},
{
"name": "https://github.com/LemmyNet/lemmy/commit/bc32b408b523b9b64aa57b8e47748f96cce0dae5",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/LemmyNet/lemmy/commit/bc32b408b523b9b64aa57b8e47748f96cce0dae5"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-23649",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T15:42:46.679129Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-30T14:16:25.819Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "lemmy",
"vendor": "LemmyNet",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.17.0, \u003c 0.19.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Lemmy is a link aggregator and forum for the fediverse. Starting in version 0.17.0 and prior to version 0.19.1, users can report private messages, even when they\u0027re neither sender nor recipient of the message. The API response to creating a private message report contains the private message itself, which means any user can just iterate over message ids to (loudly) obtain all private messages of an instance. A user with instance admin privileges can also abuse this if the private message is removed from the response, as they\u0027re able to see the resulting reports.\n\nCreating a private message report by POSTing to `/api/v3/private_message/report` does not validate whether the reporter is the recipient of the message. lemmy-ui does not allow the sender to report the message; the API method should likely be restricted to accessible to recipients only. The API response when creating a report contains the `private_message_report_view` with all the details of the report, including the private message that has been reported:\n\nAny authenticated user can obtain arbitrary (untargeted) private message contents. Privileges required depend on the instance configuration; when registrations are enabled without application system, the privileges required are practically none. When registration applications are required, privileges required could be considered low, but this assessment heavily varies by instance.\n\nVersion 0.19.1 contains a patch for this issue. A workaround is available. If an update to a fixed Lemmy version is not immediately possible, the API route can be blocked in the reverse proxy. This will prevent anyone from reporting private messages, but it will also prevent exploitation before the update has been applied."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-24T18:09:30.401Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/LemmyNet/lemmy/security/advisories/GHSA-r64r-5h43-26qv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/LemmyNet/lemmy/security/advisories/GHSA-r64r-5h43-26qv"
},
{
"name": "https://github.com/LemmyNet/lemmy/commit/bc32b408b523b9b64aa57b8e47748f96cce0dae5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/LemmyNet/lemmy/commit/bc32b408b523b9b64aa57b8e47748f96cce0dae5"
}
],
"source": {
"advisory": "GHSA-r64r-5h43-26qv",
"discovery": "UNKNOWN"
},
"title": "Any authenticated user may obtain private message details from other users on the same instance"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-23649",
"datePublished": "2024-01-24T18:09:30.401Z",
"dateReserved": "2024-01-19T00:18:53.234Z",
"dateUpdated": "2025-05-30T14:16:25.819Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}