Suggestions search

Untriaged

Filter by:

With package: lemmy-server

Found 2 matching suggestions

View:

Compact

Detailed

Permalink CVE-2026-42181

6.5 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): High (H)
Integrity (I): None (N)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): High (H)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): None (N)
Modified Availability (MA): None (N)

created 2 weeks, 2 days ago Activity log

Created suggestion 2 weeks, 2 days ago

Lemmy: SSRF and internal image disclosure in post link metadata via unvalidated og:image

Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.19.18, Lemmy fetches metadata for user-supplied post URLs and, under the default StoreLinkPreviews image mode, downloads the preview image through local pict-rs. While the top-level page URL is checked against internal IP ranges, the extracted og:image URL is not subject to the same restriction. As a result, an authenticated low-privileged user can submit an attacker-controlled public page whose Open Graph image points to an internal image endpoint. Lemmy will fetch that internal image server-side and store a local thumbnail that can then be served back to users. This issue has been patched in version 0.19.18.

References

https://github.com/LemmyNet/lemmy/security/advisories/GHSA-h6hf-9846-xwrq x_refsource_CONFIRM
https://github.com/LemmyNet/lemmy/releases/tag/0.19.18 x_refsource_MISC

Affected products

lemmy

==< 0.19.18

Matching in nixpkgs

pkgs.lemmy-ui

Building a federated alternative to reddit in rust

nixos-unstable 0.19.18
- nixpkgs-unstable 0.19.18
- nixos-unstable-small 0.19.18
nixos-25.11 0.19.13
- nixos-25.11-small 0.19.13
- nixpkgs-25.11-darwin 0.19.13

pkgs.lemmy-help

CLI for generating vim help docs from emmylua comments

nixos-unstable 0.11.0
- nixpkgs-unstable 0.11.0
- nixos-unstable-small 0.11.0
nixos-25.11 0.11.0
- nixos-25.11-small 0.11.0
- nixpkgs-25.11-darwin 0.11.0

pkgs.lemmy-server

🐀 Building a federated alternative to reddit in rust

nixos-unstable 0.19.18
- nixpkgs-unstable 0.19.18
- nixos-unstable-small 0.19.18
nixos-25.11 0.19.13
- nixos-25.11-small 0.19.13
- nixpkgs-25.11-darwin 0.19.13

Package maintainers

@georgyo George Shammas <george@shamm.as>
@billewanick Bill Ewanick <bill@ewanick.com>
@happysalada Raphael Megzari <raphael@megzari.com>

Permalink CVE-2026-42180

6.3 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): Low (L)
Integrity (I): Low (L)
Availability (A): Low (L)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): Low (L)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): Low (L)
Modified Availability (MA): Low (L)

created 2 weeks, 2 days ago Activity log

Created suggestion 2 weeks, 2 days ago

Lemmy: SSRF in /api/v3/post via Webmention dispatch

Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.19.18, Lemmy allows an authenticated low-privileged user to create a link post through POST /api/v3/post. When a post is created in a public community, the backend asynchronously sends a Webmention to the attacker-controlled link target. The submitted URL is checked for syntax and scheme, but the audited code path does not reject loopback, private, or link-local destinations before the Webmention request is issued. This lets a normal user trigger server-side HTTP requests toward internal services. This issue has been patched in version 0.19.18.

References

https://github.com/LemmyNet/lemmy/security/advisories/GHSA-3jvj-v6w2-h948 x_refsource_CONFIRM
https://github.com/LemmyNet/lemmy/releases/tag/0.19.18 x_refsource_MISC

Affected products

lemmy

==< 0.19.18

Matching in nixpkgs

pkgs.lemmy-ui

Building a federated alternative to reddit in rust

nixos-unstable 0.19.18
- nixpkgs-unstable 0.19.18
- nixos-unstable-small 0.19.18
nixos-25.11 0.19.13
- nixos-25.11-small 0.19.13
- nixpkgs-25.11-darwin 0.19.13

pkgs.lemmy-help

CLI for generating vim help docs from emmylua comments

nixos-unstable 0.11.0
- nixpkgs-unstable 0.11.0
- nixos-unstable-small 0.11.0
nixos-25.11 0.11.0
- nixos-25.11-small 0.11.0
- nixpkgs-25.11-darwin 0.11.0

pkgs.lemmy-server

🐀 Building a federated alternative to reddit in rust

nixos-unstable 0.19.18
- nixpkgs-unstable 0.19.18
- nixos-unstable-small 0.19.18
nixos-25.11 0.19.13
- nixos-25.11-small 0.19.13
- nixpkgs-25.11-darwin 0.19.13

Package maintainers

@georgyo George Shammas <george@shamm.as>
@billewanick Bill Ewanick <bill@ewanick.com>
@happysalada Raphael Megzari <raphael@megzari.com>