CVE-2026-57940

🗓️ 26 Jun 2026 13:08:02Reported by mitreType

HTMLy 3.1.1 has a server side forgery in RSS import via unvalidated feed_url; admin users can trigger external requests.

Reporter	Title	Published	Views	Family All 7
ATTACKERKB	CVE-2026-57940	26 Jun 202613:08	–	attackerkb
Circl	CVE-2026-57940	26 Jun 202613:55	–	circl
Cvelist	CVE-2026-57940	26 Jun 202613:08	–	cvelist
EUVD	EUVD-2026-39660	26 Jun 202615:32	–	euvd
NVD	CVE-2026-57940	26 Jun 202614:17	–	nvd
Positive Technologies	PT-2026-52707	26 Jun 202600:00	–	ptsecurity
Vulnrichment	CVE-2026-57940	26 Jun 202613:08	–	vulnrichment

Vulners

Node

danpros htmlyMatch3.1.1

[
  {
    "defaultStatus": "unknown",
    "modules": [
      "RSS feed import (Tools → Import RSS)"
    ],
    "platforms": [
      "PHP"
    ],
    "product": "HTMLy",
    "programFiles": [
      "system/includes/functions.php"
    ],
    "programRoutines": [
      {
        "name": "system/includes/functions.php"
      }
    ],
    "repo": "https://github.com/danpros/htmly",
    "vendor": "danpros",
    "versions": [
      {
        "status": "affected",
        "version": "3.1.1",
        "versionType": "semver"
      }
    ]
  }
]

Source	Link
github	www.github.com/danpros/htmly/blob/c8b7ed9af39a266b256759becf26dba6a59e11e6/system/admin/admin.php

26 Jun 2026 20:23Current

5.8Medium risk

Vulners AI Score5.8

CVSS 42.1

SSVC

CWE-918