Nixpkgs security tracker
Untriaged
Permalink
CVE-2026-42180
6.3 MEDIUM
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): Low (L)
- User Interaction (UI): None (N)
- Scope (S): Unchanged (U)
- Confidentiality (C): Low (L)
- Integrity (I): Low (L)
- Availability (A): Low (L)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): Low (L)
- Modified User Interaction (MUI): None (N)
- Modified Confidentiality (MC): Low (L)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): Low (L)
- Modified Availability (MA): Low (L)
Activity log
- Created suggestion
Lemmy: SSRF in /api/v3/post via Webmention dispatch
Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.19.18, Lemmy allows an authenticated low-privileged user to create a link post through POST /api/v3/post. When a post is created in a public community, the backend asynchronously sends a Webmention to the attacker-controlled link target. The submitted URL is checked for syntax and scheme, but the audited code path does not reject loopback, private, or link-local destinations before the Webmention request is issued. This lets a normal user trigger server-side HTTP requests toward internal services. This issue has been patched in version 0.19.18.
References
-
https://github.com/LemmyNet/lemmy/security/advisories/GHSA-3jvj-v6w2-h948 x_refsource_CONFIRM
-
https://github.com/LemmyNet/lemmy/releases/tag/0.19.18 x_refsource_MISC
Affected products
lemmy
- ==< 0.19.18
Matching in nixpkgs
pkgs.lemmy-ui
Building a federated alternative to reddit in rust
pkgs.lemmy-help
CLI for generating vim help docs from emmylua comments
Package maintainers
-
@georgyo George Shammas <george@shamm.as>
-
@billewanick Bill Ewanick <bill@ewanick.com>
-
@happysalada Raphael Megzari <raphael@megzari.com>