lemmy_server (>=0.11.3-rc.5 <=0.16.2-rc.1) potentially affected by unknown CVE via lemmy_api (>=0.11.3-rc.5 <=0.16.2-rc.1)

lemmyapi CARGO version =0.11.3-rc.5, =0.11.3-rc.5, =0.16.2-rc.1 Source cves: unknown CVE Source advisory: OSV:GHSA-JMXC-HHWX-GVV3...

CVE-2026-33693

Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.7.0-beta.9, the v4isinvalid function in activitypub-federation-rust src/utils.rs does not check for Ipv4Addr::UNSPECIFIED 0.0.0.0. An unauthenticated attacker controlling a remote domain can point it to 0.0.0.0, bypass the...

GHSA-WR2M-38XH-RPC9 Lemmy user purging users or communities or banning users can delete images they didn't upload/exclusively use

Summary An improper uploaded media ownership check can result in inadvertent deletion of media when a user is banned with content removal or purged. This can lead to deletion of media that was not uploaded by the banned/purged user. This also applies to purged communities, in which case all media...