6 matches found
CVE-2026-56772
NewsBlur before 14.5.0 contains a broken access control vulnerability that allows authenticated users to read private notification feeds by supplying arbitrary userid values to the GET /social/interactions endpoint without ownership verification. Attackers can enumerate userid values to access...
CVE-2026-56772
NewsBlur
CVE-2026-56771
NewsBlur before version 14.5.0 contains a server-side request forgery vulnerability in the addurl endpoint that allows authenticated users to make arbitrary server requests to internal networks by failing to filter private IP addresses. Attackers can exploit this to access localhost services and...
CVE-2026-56771
NewsBlur prior to 14.5.0 is affected by an SSRF in the add_url endpoint. The issue lets authenticated users trigger arbitrary server requests to internal networks by failing to filter private IPs, potentially reaching localhost services and cloud metadata endpoints. This enables internal network ...
PT-2026-52545
Name of the Vulnerable Software and Affected Versions NewsBlur versions prior to 14.5.0 Description Authenticated users can perform server-side request forgery SSRF via the 'add url' endpoint. This occurs because the application fails to filter private IP addresses, allowing arbitrary server...
Hacker wipes out database of RSS newsreader service NewsBlur
By Deeba Ahmed Personal newsreader NewsBlur service has been restored after a hacker wiped out MongoDB data that was exposed to public access. This is a post from HackRead.com Read the original post: Hacker wipes out database of RSS newsreader service NewsBlur...