Lucene search
K

23 matches found

EUVD
EUVD
added 4 days ago7 views

EUVD-2026-42952

PeerTube is an ActivityPub-federated video streaming platform. Prior to 8.2.2, server-side-rendered video watch pages embed a schema.org JSON-LD block by JSON.stringify-ing video metadata without escaping less-than, greater-than, or slash characters, allowing a value containing the byte sequence...

5.1CVSS6.2AI score0.00269EPSS
Exploits0References3
CVE
CVE
added 2026/07/01 7:27 p.m.24 views

CVE-2026-58593

NodeBB is affected by CVE-2026-58593 where inbound ActivityPub objects are not correctly bound to the authenticated remote actor. The middleware verifies the HTTP-signature actor and origin of object.id but does not validate that attributedTo corresponds to the sender, treating attributedTo as a ...

8.7CVSS6AI score0.00191EPSS
Exploits1References3Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/27 12:3 a.m.2 views

CVE-2026-33693 Lemmy's Activitypub-Federation has SSRF via 0.0.0.0 bypass in activitypub-federation-rust v4_is_invalid()

Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.7.0-beta.9, the v4isinvalid function in activitypub-federation-rust src/utils.rs does not check for Ipv4Addr::UNSPECIFIED 0.0.0.0. An unauthenticated attacker controlling a remote domain can point it to 0.0.0.0, bypass the...

6.5CVSS5.9AI score0.00359EPSS
Exploits2References3
Cvelist
Cvelist
added 2026/03/27 12:3 a.m.36 views

CVE-2026-33693 Lemmy's Activitypub-Federation has SSRF via 0.0.0.0 bypass in activitypub-federation-rust v4_is_invalid()

Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.7.0-beta.9, the v4isinvalid function in activitypub-federation-rust src/utils.rs does not check for Ipv4Addr::UNSPECIFIED 0.0.0.0. An unauthenticated attacker controlling a remote domain can point it to 0.0.0.0, bypass the...

6.5CVSS0.00359EPSS
Exploits2References3
CVE
CVE
added 2026/03/27 12:3 a.m.38 views

CVE-2026-33693

Lemmy’s Activitypub-Federation vulnerable component: Rust-based v4_is_invalid() in activitypub_federation-rust fails to check IPv4Addr::UNSPECIFIED (0.0.0.0). An unauthenticated attacker controlling a remote domain could direct 0.0.0.0 and bypass SSRF protections, reaching localhost services on t...

6.5CVSS5.8AI score0.00359EPSS
Exploits2References3
OSV
OSV
added 2026/03/27 12:3 a.m.7 views

CVE-2026-33693 Lemmy's Activitypub-Federation has SSRF via 0.0.0.0 bypass in activitypub-federation-rust v4_is_invalid()

Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.7.0-beta.9, the v4isinvalid function in activitypub-federation-rust src/utils.rs does not check for Ipv4Addr::UNSPECIFIED 0.0.0.0. An unauthenticated attacker controlling a remote domain can point it to 0.0.0.0, bypass the...

6.5CVSS5.9AI score0.00359EPSS
Exploits2References5
Github Security Blog
Github Security Blog
added 2026/03/25 8:23 p.m.7 views

Activitypub-Federation has SSRF via 0.0.0.0 bypass in activitypub-federation-rust v4_is_invalid()

Summary The v4isinvalid function in activitypub-federation-rust src/utils.rs does not check for Ipv4Addr::UNSPECIFIED 0.0.0.0. An unauthenticated attacker controlling a remote domain can point it to 0.0.0.0, bypass the SSRF protection introduced by the fix for CVE-2025-25194 GHSA-7723-35v7-qcxw,...

6.5CVSS5.9AI score0.00359EPSS
Exploits2References5Affected Software1
OSV
OSV
added 2026/03/25 8:23 p.m.6 views

GHSA-Q537-8FR5-CW35 Activitypub-Federation has SSRF via 0.0.0.0 bypass in activitypub-federation-rust v4_is_invalid()

Summary The v4isinvalid function in activitypub-federation-rust src/utils.rs does not check for Ipv4Addr::UNSPECIFIED 0.0.0.0. An unauthenticated attacker controlling a remote domain can point it to 0.0.0.0, bypass the SSRF protection introduced by the fix for CVE-2025-25194 GHSA-7723-35v7-qcxw,...

6.5CVSS5.9AI score0.00359EPSS
Exploits2References5
GitLab Advisory Database
GitLab Advisory Database
added 2026/03/25 12:0 a.m.7 views

Activitypub-Federation has SSRF via 0.0.0.0 bypass in activitypub-federation-rust v4_is_invalid()

The v4isinvalid function in activitypub-federation-rust src/utils.rs does not check for Ipv4Addr::UNSPECIFIED 0.0.0.0. An unauthenticated attacker controlling a remote domain can point it to 0.0.0.0, bypass the SSRF protection introduced by the fix for CVE-2025-25194 GHSA-7723-35v7-qcxw, and reac...

6.5CVSS5.9AI score0.00359EPSS
Exploits2References6Affected Software1
Packet Storm
Packet Storm
added 2026/03/24 12:0 a.m.190 views

📄 activitypub-federation-rust 0.7.1 Server-Side Request Forgery

activitypub-federation-rust versions 0.7.1 and below suffer from a server-side request forgery vulnerability. CVE-2026-33693: SSRF via 0.0.0.0 Bypass in activitypub-federation-rust v4isinvalid CVSS 6.5 Moderate Keywords: SSRF, 0.0.0.0, IP validation bypass, activitypub-federation, Lemmy, Rust,...

6.5CVSS5.8AI score0.00359EPSS
Exploits2
NVD
NVD
added 2026/03/06 6:16 p.m.9 views

CVE-2026-29178

Lemmy, a link aggregator and forum for the fediverse, is vulnerable to server-side request forgery via a dependency on activitypubfederation, a framework for ActivityPub federation in Rust. Prior to version 0.19.16, the GET /api/v4/image/filename endpoint is vulnerable to unauthenticated SSRF...

8.7CVSS0.00272EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/03/06 5:56 p.m.3 views

CVE-2026-29178 Lemmy: Unauthenticated SSRF via file_type query parameter injection in image endpoint

Lemmy, a link aggregator and forum for the fediverse, is vulnerable to server-side request forgery via a dependency on activitypubfederation, a framework for ActivityPub federation in Rust. Prior to version 0.19.16, the GET /api/v4/image/filename endpoint is vulnerable to unauthenticated SSRF...

8.7CVSS5.8AI score0.00272EPSS
Exploits0References2
EUVD
EUVD
added 2025/10/03 8:7 p.m.7 views

EUVD-2025-4082

Malicious code in bioql PyPI...

4CVSS6.4AI score0.00406EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2025/07/19 2:2 p.m.6 views

CVE-2025-53941

Hollo is a federated single-user microblogging software designed to be federated through ActivityPub. Versions prior to 0.6.5 allow HTML form elements to be submitted, making the software vulnerable to HTML injection. Version 0.6.5 fixes the issue...

6.1CVSS6.6AI score0.00227EPSS
Exploits0References1
NVD
NVD
added 2025/07/17 2:15 p.m.7 views

CVE-2025-53941

Hollo is a federated single-user microblogging software designed to be federated through ActivityPub. Versions prior to 0.6.5 allow HTML form elements to be submitted, making the software vulnerable to HTML injection. Version 0.6.5 fixes the issue...

6.1CVSS0.00227EPSS
Exploits0References3
BDU FSTEC
BDU FSTEC
added 2025/02/16 12:0 a.m.13 views

The vulnerability of the verify_url_valid() function in the Activitypub-Federation framework, a platform for creating and managing communities in the Lemmy ecosystem, allows attackers to circumvent security restrictions and gain unauthorized access to protected information.

The vulnerability of the verifyurlvalid function in the Activitypub-Federation framework, a platform for creating and managing communities in the Lemmy community, is related to insufficient validation of requests on the server side. Exploiting this vulnerability could allow an attacker to bypass...

4CVSS5.5AI score0.00406EPSS
Exploits0References6Affected Software2
NVD
NVD
added 2025/02/10 11:15 p.m.7 views

CVE-2025-25194

Lemmy, a link aggregator and forum for the fediverse, is vulnerable to server-side request forgery via a dependency on activitypubfederation, a framework for ActivityPub federation in Rust. This vulnerability, which is present in versions 0.6.2 and prior of activitypubfederation and versions 0.19...

4CVSS0.00406EPSS
Exploits0References1
CVE
CVE
added 2025/02/10 10:14 p.m.54 views

CVE-2025-25194

CVE-2025-25194 describes a Server-Side Request Forgery (SSRF) in Lemmy linked to the activitypub_federation Rust library. The vulnerability allows an attacker to craft a Webfinger-based request that may bypass hardcoded URL/path restrictions and trigger an arbitrary GET to any Host, Port, and URL...

4CVSS4.4AI score0.00406EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2025/02/10 10:14 p.m.4 views

CVE-2025-25194 Server-Side Request Forgery (SSRF) in activitypub_federation

Lemmy, a link aggregator and forum for the fediverse, is vulnerable to server-side request forgery via a dependency on activitypubfederation, a framework for ActivityPub federation in Rust. This vulnerability, which is present in versions 0.6.2 and prior of activitypubfederation and versions 0.19...

4CVSS4.5AI score0.00406EPSS
Exploits0References1
OSV
OSV
added 2025/02/10 10:14 p.m.4 views

CVE-2025-25194 Server-Side Request Forgery (SSRF) in activitypub_federation

Lemmy, a link aggregator and forum for the fediverse, is vulnerable to server-side request forgery via a dependency on activitypubfederation, a framework for ActivityPub federation in Rust. This vulnerability, which is present in versions 0.6.2 and prior of activitypubfederation and versions 0.19...

4CVSS7.1AI score0.00406EPSS
Exploits0References3
Rows per page
Query Builder