36 matches found
CVE-2026-10513
The Webmention plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 5.8.0 via parser-derived 'avatar' and 'url' author metadata. This is due to insufficient input sanitization and output escaping on user-supplied MF2 author properties processed by the...
CVE-2026-10513 Webmention <= 5.8.0 - Unauthenticated Stored Cross-Site Scripting via MF2 'photo'/'url' Author Properties
The Webmention plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 5.8.0 via parser-derived 'avatar' and 'url' author metadata. This is due to insufficient input sanitization and output escaping on user-supplied MF2 author properties processed by the...
EUVD-2026-40376
The Webmention plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 5.8.0 via parser-derived 'avatar' and 'url' author metadata. This is due to insufficient input sanitization and output escaping on user-supplied MF2 author properties processed by the...
CVE-2026-10513
CVE-2026-10513 affects the WordPress Webmention plugin (versions up to and including 5.8.0). The root cause is insufficient input sanitization and output escaping for MF2 author properties (avatar/url) processed by the unauthenticated webmention REST endpoint and rendered into HTML value attribut...
PT-2026-53940
Name of the Vulnerable Software and Affected Versions Webmention versions prior to 5.8.1 Description Stored Cross-Site Scripting occurs due to insufficient input sanitization and output escaping of user-supplied Microformat 2 MF2 author properties. An unauthenticated attacker can inject arbitrary...
CVE-2026-42180
Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.19.18, Lemmy allows an authenticated low-privileged user to create a link post through POST /api/v3/post. When a post is created in a public community, the backend asynchronously sends a Webmention to the attacker-controll...
CVE-2026-42180
Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.19.18, Lemmy allows an authenticated low-privileged user to create a link post through POST /api/v3/post. When a post is created in a public community, the backend asynchronously sends a Webmention to the attacker-controll...
CVE-2026-42180 Lemmy: SSRF in /api/v3/post via Webmention dispatch
Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.19.18, Lemmy allows an authenticated low-privileged user to create a link post through POST /api/v3/post. When a post is created in a public community, the backend asynchronously sends a Webmention to the attacker-controll...
CVE-2026-42180
Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.19.18, Lemmy allows an authenticated low-privileged user to create a link post through POST /api/v3/post. When a post is created in a public community, the backend asynchronously sends a Webmention to the attacker-controll...
EUVD-2026-28819
Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.19.18, Lemmy allows an authenticated low-privileged user to create a link post through POST /api/v3/post. When a post is created in a public community, the backend asynchronously sends a Webmention to the attacker-controll...
CVE-2026-42180
Lemmy prior to version 0.19.18 is affected by a server-side request forgery: an authenticated low-privilege user can create a link post via POST /api/v3/post, and when posted to public communities Lemmy dispatches a Webmention to the target. The code path only validates the URL’s syntax/scheme (h...
CVE-2026-42180 Lemmy: SSRF in /api/v3/post via Webmention dispatch
Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.19.18, Lemmy allows an authenticated low-privileged user to create a link post through POST /api/v3/post. When a post is created in a public community, the backend asynchronously sends a Webmention to the attacker-controll...
Lemmy has SSRF in /api/v3/post via Webmention dispatch
Summary Lemmy allows an authenticated low-privileged user to create a link post through POST /api/v3/post. When a post is created in a public community, the backend asynchronously sends a Webmention to the attacker-controlled link target. The submitted URL is checked for syntax and scheme, but th...
GHSA-3JVJ-V6W2-H948 Lemmy has SSRF in /api/v3/post via Webmention dispatch
Summary Lemmy allows an authenticated low-privileged user to create a link post through POST /api/v3/post. When a post is created in a public community, the backend asynchronously sends a Webmention to the attacker-controlled link target. The submitted URL is checked for syntax and scheme, but th...
PT-2026-37169
Name of the Vulnerable Software and Affected Versions Lemmy versions prior to 0.19.18 Description An authenticated low-privileged user can trigger server-side HTTP requests toward internal services. This occurs when a user creates a link post in a public community via the "POST /api/v3/post"...
CVE-2026-0688
The Webmention plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.6.2 via the 'Tools::read' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations...
CVE-2026-0686
The Webmention plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.6.2 in the 'MF2::parseauthorpage' function via the 'Receiver::post' function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations...
EUVD-2026-18132
The Webmention plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.6.2 in the 'MF2::parseauthorpage' function via the 'Receiver::post' function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations...
EUVD-2026-18134
The Webmention plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.6.2 via the 'Tools::read' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations...
CVE-2026-0688
The Webmention plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.6.2 via the 'Tools::read' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations...