CVE-2026-44658 Zen Browser: RSS Live-Folder Item URLs Are Not Scheme-Restricted Before Trusted Tab Creation

Zen is a firefox-based browser. Prior to 1.19.12b, RSS feed URLs entered by the user are validated to http: or https: in promptForFeedUrl, but item links inside the feed are not subject to the same restriction. The provider maps each RSS/Atom item link into item.url, filters only for presence and...

CVE-2026-44658

CVE-2026-44658 (Zen Browser) : Zen Browser is a Firefox-based browser. The issue arises when RSS/Atom item links parsed from feeds are mapped to item.url without the same http/https scheme restriction applied in promptForFeedUrl; these links are then used by the live-folder manager to create pinn...

Improper Encoding or Escaping of Output

Overview Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output via the RSS feed rendering process. An attacker can execute arbitrary JavaScript in the context of RSS readers by injecting malicious tag names or raw HTML markdown content. This is only exploitab...

Ech0's RSS feed renders unescaped tag names and raw-HTML markdown, stored XSS against subscribers

Summary The public RSS/Atom feed at /rss renders two attacker-controlled surfaces without HTML escaping. Tag names flow through fmt.AppendfrenderedContent, "%s", tag.Name at internal/service/common/common.go:120, and the Markdown renderer at internal/util/md/md.go does not set the html.SkipHTML...

CVE-2026-5126 SourceCodester RSS Feed Parser file_get_contents server-side request forgery

A flaw has been found in SourceCodester RSS Feed Parser 1.0. Affected by this issue is the function filegetcontents. This manipulation causes server-side request forgery. The attack is possible to be carried out remotely. The exploit has been published and may be used...

CVE-2026-5126

CVE-2026-5126 affects SourceCodester RSS Feed Parser 1.0. The flaw is in the function file_get_contents , enabling a server-side request forgery (SSRF). The attack is possible to be carried out remotely, and the exploit has been published and may be used. This has been reflected across multiple s...

CVE-2026-5126

A flaw has been found in SourceCodester RSS Feed Parser 1.0. Affected by this issue is the function filegetcontents. This manipulation causes server-side request forgery. The attack is possible to be carried out remotely. The exploit has been published and may be used...

GHSA-89V5-38XR-9M4J Postiz has Multiple SSRF Vectors - Webhooks, RSS Feed, URL Loader

Summary Postiz has multiple SSRF vulnerabilities where user-provided URLs are fetched server-side without any IP validation or SSRF protection. Vulnerable Code 1. Webhook Send Endpoint Most Critical apps/backend/src/api/routes/webhooks.controller.ts lines 58-70: typescript async sendWebhook@Body...

Postiz has Multiple SSRF Vectors - Webhooks, RSS Feed, URL Loader

Summary Postiz has multiple SSRF vulnerabilities where user-provided URLs are fetched server-side without any IP validation or SSRF protection. Vulnerable Code 1. Webhook Send Endpoint Most Critical apps/backend/src/api/routes/webhooks.controller.ts lines 58-70: typescript async sendWebhook@Body...

CVE-2026-29097

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. Versions prior to 7.15.1 and 8.9.3 contain a Server-Side Request Forgery SSRF vulnerability combined with a Denial of Service DoS condition in the RSS Feed Dashlet component. Versions 7.15.1 an...

CVE-2026-29097

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. Versions prior to 7.15.1 and 8.9.3 contain a Server-Side Request Forgery SSRF vulnerability combined with a Denial of Service DoS condition in the RSS Feed Dashlet component. Versions 7.15.1 an...

CVE-2026-29097

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. Versions prior to 7.15.1 and 8.9.3 contain a Server-Side Request Forgery SSRF vulnerability combined with a Denial of Service DoS condition in the RSS Feed Dashlet component. Versions 7.15.1 an...

CVE-2026-29097

SuiteCRM contains a Server-Side Request Forgery (SSRF) and Denial of Service (DoS) vulnerability in the RSS Feed Dashlet affecting versions prior to 7.15.1 and 8.9.3. The issue is resolved by upgrading to 7.15.1 or 8.9.3, which patch the vulnerability. The provided connected documents confirm the...

CVE-2026-29097 SuiteCRM Server-Side Request Forgery and Denial of Service via RSS Feed Dashlet

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. Versions prior to 7.15.1 and 8.9.3 contain a Server-Side Request Forgery SSRF vulnerability combined with a Denial of Service DoS condition in the RSS Feed Dashlet component. Versions 7.15.1 an...

CVE-2025-71259

BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a blind server-side request forgery vulnerability in the externalfeed/RSS API component that allows authenticated attackers to trigger arbitrary outbound requests from the server. Attackers can exploit insufficient validation of...

PT-2026-26431

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. Versions prior to 7.15.1 and 8.9.3 contain a Server-Side Request Forgery SSRF vulnerability combined with a Denial of Service DoS condition in the RSS Feed Dashlet component. Versions 7.15.1 an...

CVE-2026-27797 Homarr: Unauthenticated SSRF in rssFeed.ts

Homarr is an open-source dashboard. Prior to version 1.54.0, an unauthenticated Server-Side Request Forgery SSRF vulnerability allows a remote attacker to force the Homarr server to perform arbitrary outbound HTTP requests. This can be used as an internal network access primitive e.g., reaching...

CVE-2026-27797 Homarr: Unauthenticated SSRF in rssFeed.ts

Homarr is an open-source dashboard. Prior to version 1.54.0, an unauthenticated Server-Side Request Forgery SSRF vulnerability allows a remote attacker to force the Homarr server to perform arbitrary outbound HTTP requests. This can be used as an internal network access primitive e.g., reaching...

CVE-2026-27797

CVE-2026-27797 affects the open-source dashboard product named Homarr, with a prior vulnerability in versions before 1.54.0. An unauthenticated Server-Side Request Forgery (SSRF) could cause the Homarr server to perform arbitrary outbound HTTP requests, enabling potential internal-network access ...

CVE-2026-28559

wpForo Forum 2.4.14 contains an information disclosure vulnerability that allows unauthenticated users to retrieve private and unapproved forum topics via the global RSS feed endpoint. Attackers request the RSS feed without a forum ID parameter, bypassing the privacy and status WHERE clauses that...