CVE-2026-42181 Lemmy: SSRF and internal image disclosure in post link metadata via unvalidated og:image

Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.19.18, Lemmy fetches metadata for user-supplied post URLs and, under the default StoreLinkPreviews image mode, downloads the preview image through local pict-rs. While the top-level page URL is checked against internal IP...

CVE-2026-42181

Lemmy prior to 0.19.18 is vulnerable to SSRF through post link metadata: the system validates the top-level URL against internal ranges, but the og:image URL extracted from the page is not subjected to the same restriction. An authenticated low-privileged user can post a page whose og:image point...