8 matches found
Miniflux has an Open Redirect via protocol-relative redirect_url
Summary redirecturl is treated as safe when url.Parse....IsAbs is false. Protocol-relative URLs like //ikotaslabs.com have an empty scheme and pass that check, allowing post-login redirects to attacker-controlled sites. Details - url.Parse"//ikotaslabs.com" = empty Scheme, Host="ikotaslabs.com". ...
CVE-2025-31483
Miniflux is a feed reader. Due to a weak Content Security Policy on the /proxy/ route, an attacker can bypass the CSP of the media proxy and execute cross-site scripting when opening external images in a new tab/window. To mitigate the vulnerability, the CSP for the media proxy has been changed...
CVE-2025-31483
Miniflux is a feed reader. Due to a weak Content Security Policy on the /proxy/ route, an attacker can bypass the CSP of the media proxy and execute cross-site scripting when opening external images in a new tab/window. To mitigate the vulnerability, the CSP for the media proxy has been changed...
CVE-2025-31483
The CVE-2025-31483 vulnerability affects Miniflux (a feed reader) where a weak Content Security Policy on the /proxy/* route allowed bypassing the media proxy CSP and executing cross-site scripting when external images were opened in a new tab/window. Root cause: insufficient CSP controls for the...
Stored XSS in Miniflux when opening a broken image due to unescaped ServerError in proxy handler
Impact Since v2.0.25, Miniflux will automatically proxy images served over HTTP to prevent mixed content errors. When an outbound request made by the Go HTTP client fails, the html.ServerError is returned unescaped without the expected Content Security Policy header added to valid responses. By...
GHSA-MQQG-XJHJ-WFGW Stored XSS in Miniflux when opening a broken image due to unescaped ServerError in proxy handler
Impact Since v2.0.25, Miniflux will automatically proxy images served over HTTP to prevent mixed content errors. When an outbound request made by the Go HTTP client fails, the html.ServerError is returned unescaped without the expected Content Security Policy header added to valid responses. By...
PT-2023-21232 · Miniflux · Miniflux
Name of the Vulnerable Software and Affected Versions: Miniflux versions 2.0.25 through 2.0.42 Description: The issue arises when Miniflux automatically proxies images served over HTTP to prevent mixed content errors. If an outbound request made by the Go HTTP client fails, the html.ServerError i...
Miniflux 安全漏洞
Miniflux is a minimalist synopsis reader. A security vulnerability exists in Miniflux versions prior to 2.0.43. An attacker exploiting this vulnerability could access Prometheus metrics...