Lucene search
K

8 matches found

Github Security Blog
Github Security Blog
added 2025/12/10 5:18 p.m.10 views

Miniflux has an Open Redirect via protocol-relative redirect_url

Summary redirecturl is treated as safe when url.Parse....IsAbs is false. Protocol-relative URLs like //ikotaslabs.com have an empty scheme and pass that check, allowing post-login redirects to attacker-controlled sites. Details - url.Parse"//ikotaslabs.com" = empty Scheme, Host="ikotaslabs.com". ...

6.1CVSS6.9AI score0.00183EPSS
Exploits1References4Affected Software1
RedhatCVE
RedhatCVE
added 2025/04/05 6:33 p.m.18 views

CVE-2025-31483

Miniflux is a feed reader. Due to a weak Content Security Policy on the /proxy/ route, an attacker can bypass the CSP of the media proxy and execute cross-site scripting when opening external images in a new tab/window. To mitigate the vulnerability, the CSP for the media proxy has been changed...

4.8CVSS6.3AI score0.00357EPSS
Exploits0References1
NVD
NVD
added 2025/04/03 6:15 p.m.21 views

CVE-2025-31483

Miniflux is a feed reader. Due to a weak Content Security Policy on the /proxy/ route, an attacker can bypass the CSP of the media proxy and execute cross-site scripting when opening external images in a new tab/window. To mitigate the vulnerability, the CSP for the media proxy has been changed...

4.8CVSS0.00357EPSS
Exploits0References2
CVE
CVE
added 2025/04/03 6:7 p.m.81 views

CVE-2025-31483

The CVE-2025-31483 vulnerability affects Miniflux (a feed reader) where a weak Content Security Policy on the /proxy/* route allowed bypassing the media proxy CSP and executing cross-site scripting when external images were opened in a new tab/window. Root cause: insufficient CSP controls for the...

4.8CVSS6.6AI score0.00357EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2025/04/02 5:25 p.m.16 views

Stored XSS in Miniflux when opening a broken image due to unescaped ServerError in proxy handler

Impact Since v2.0.25, Miniflux will automatically proxy images served over HTTP to prevent mixed content errors. When an outbound request made by the Go HTTP client fails, the html.ServerError is returned unescaped without the expected Content Security Policy header added to valid responses. By...

5.4CVSS7.6AI score0.00586EPSS
Exploits0References9Affected Software1
OSV
OSV
added 2025/04/02 5:25 p.m.3 views

GHSA-MQQG-XJHJ-WFGW Stored XSS in Miniflux when opening a broken image due to unescaped ServerError in proxy handler

Impact Since v2.0.25, Miniflux will automatically proxy images served over HTTP to prevent mixed content errors. When an outbound request made by the Go HTTP client fails, the html.ServerError is returned unescaped without the expected Content Security Policy header added to valid responses. By...

4.8CVSS7.6AI score0.00586EPSS
Exploits0References9
Positive Technologies
Positive Technologies
added 2023/03/17 12:0 a.m.6 views

PT-2023-21232 · Miniflux · Miniflux

Name of the Vulnerable Software and Affected Versions: Miniflux versions 2.0.25 through 2.0.42 Description: The issue arises when Miniflux automatically proxies images served over HTTP to prevent mixed content errors. If an outbound request made by the Go HTTP client fails, the html.ServerError i...

5.4CVSS7.6AI score0.00586EPSS
Exploits0References12
CNNVD
CNNVD
added 2023/03/17 12:0 a.m.4 views

Miniflux 安全漏洞

Miniflux is a minimalist synopsis reader. A security vulnerability exists in Miniflux versions prior to 2.0.43. An attacker exploiting this vulnerability could access Prometheus metrics...

7.5CVSS7.3AI score0.00755EPSS
Exploits0References5
Rows per page
Query Builder