Lucene search
K

36 matches found

NVD
NVD
added 2026/06/30 7:16 p.m.7 views

CVE-2026-10513

The Webmention plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 5.8.0 via parser-derived 'avatar' and 'url' author metadata. This is due to insufficient input sanitization and output escaping on user-supplied MF2 author properties processed by the...

7.2CVSS0.00236EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/06/30 6:32 p.m.38 views

CVE-2026-10513 Webmention <= 5.8.0 - Unauthenticated Stored Cross-Site Scripting via MF2 'photo'/'url' Author Properties

The Webmention plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 5.8.0 via parser-derived 'avatar' and 'url' author metadata. This is due to insufficient input sanitization and output escaping on user-supplied MF2 author properties processed by the...

7.2CVSS0.00236EPSS
Exploits0References4
EUVD
EUVD
added 2026/06/30 6:32 p.m.6 views

EUVD-2026-40376

The Webmention plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 5.8.0 via parser-derived 'avatar' and 'url' author metadata. This is due to insufficient input sanitization and output escaping on user-supplied MF2 author properties processed by the...

7.2CVSS5.9AI score0.00236EPSS
Exploits0References4
CVE
CVE
added 2026/06/30 6:32 p.m.18 views

CVE-2026-10513

CVE-2026-10513 affects the WordPress Webmention plugin (versions up to and including 5.8.0). The root cause is insufficient input sanitization and output escaping for MF2 author properties (avatar/url) processed by the unauthenticated webmention REST endpoint and rendered into HTML value attribut...

7.2CVSS5.9AI score0.00236EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.12 views

PT-2026-53940

Name of the Vulnerable Software and Affected Versions Webmention versions prior to 5.8.1 Description Stored Cross-Site Scripting occurs due to insufficient input sanitization and output escaping of user-supplied Microformat 2 MF2 author properties. An unauthenticated attacker can inject arbitrary...

7.2CVSS6.1AI score0.00236EPSS
Exploits0References7
RedhatCVE
RedhatCVE
added 2026/05/13 8:23 p.m.11 views

CVE-2026-42180

Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.19.18, Lemmy allows an authenticated low-privileged user to create a link post through POST /api/v3/post. When a post is created in a public community, the backend asynchronously sends a Webmention to the attacker-controll...

6.3CVSS5.8AI score0.00184EPSS
Exploits0References1
NVD
NVD
added 2026/05/08 8:16 p.m.25 views

CVE-2026-42180

Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.19.18, Lemmy allows an authenticated low-privileged user to create a link post through POST /api/v3/post. When a post is created in a public community, the backend asynchronously sends a Webmention to the attacker-controll...

6.3CVSS0.00184EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/05/08 7:29 p.m.9 views

CVE-2026-42180 Lemmy: SSRF in /api/v3/post via Webmention dispatch

Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.19.18, Lemmy allows an authenticated low-privileged user to create a link post through POST /api/v3/post. When a post is created in a public community, the backend asynchronously sends a Webmention to the attacker-controll...

6.3CVSS5.8AI score0.00184EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/05/08 7:29 p.m.6 views

CVE-2026-42180

Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.19.18, Lemmy allows an authenticated low-privileged user to create a link post through POST /api/v3/post. When a post is created in a public community, the backend asynchronously sends a Webmention to the attacker-controll...

6.3CVSS5.8AI score0.00184EPSS
Exploits0References3Affected Software1
EUVD
EUVD
added 2026/05/08 7:29 p.m.8 views

EUVD-2026-28819

Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.19.18, Lemmy allows an authenticated low-privileged user to create a link post through POST /api/v3/post. When a post is created in a public community, the backend asynchronously sends a Webmention to the attacker-controll...

6.3CVSS5.8AI score0.00184EPSS
Exploits0References2
CVE
CVE
added 2026/05/08 7:29 p.m.17 views

CVE-2026-42180

Lemmy prior to version 0.19.18 is affected by a server-side request forgery: an authenticated low-privilege user can create a link post via POST /api/v3/post, and when posted to public communities Lemmy dispatches a Webmention to the target. The code path only validates the URL’s syntax/scheme (h...

6.3CVSS5.8AI score0.00184EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/05/08 7:29 p.m.37 views

CVE-2026-42180 Lemmy: SSRF in /api/v3/post via Webmention dispatch

Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.19.18, Lemmy allows an authenticated low-privileged user to create a link post through POST /api/v3/post. When a post is created in a public community, the backend asynchronously sends a Webmention to the attacker-controll...

6.3CVSS0.00184EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/04/24 3:22 p.m.11 views

Lemmy has SSRF in /api/v3/post via Webmention dispatch

Summary Lemmy allows an authenticated low-privileged user to create a link post through POST /api/v3/post. When a post is created in a public community, the backend asynchronously sends a Webmention to the attacker-controlled link target. The submitted URL is checked for syntax and scheme, but th...

6.3CVSS5.6AI score0.00184EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2026/04/24 3:22 p.m.7 views

GHSA-3JVJ-V6W2-H948 Lemmy has SSRF in /api/v3/post via Webmention dispatch

Summary Lemmy allows an authenticated low-privileged user to create a link post through POST /api/v3/post. When a post is created in a public community, the backend asynchronously sends a Webmention to the attacker-controlled link target. The submitted URL is checked for syntax and scheme, but th...

6.3CVSS5.7AI score0.00184EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/04/24 12:0 a.m.17 views

PT-2026-37169

Name of the Vulnerable Software and Affected Versions Lemmy versions prior to 0.19.18 Description An authenticated low-privileged user can trigger server-side HTTP requests toward internal services. This occurs when a user creates a link post in a public community via the "POST /api/v3/post"...

6.3CVSS5.8AI score0.00184EPSS
Exploits0References10
RedhatCVE
RedhatCVE
added 2026/04/03 10:57 a.m.6 views

CVE-2026-0688

The Webmention plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.6.2 via the 'Tools::read' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations...

6.4CVSS6AI score0.00201EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/04/03 10:57 a.m.5 views

CVE-2026-0686

The Webmention plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.6.2 in the 'MF2::parseauthorpage' function via the 'Receiver::post' function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations...

7.2CVSS6AI score0.00302EPSS
Exploits0References1
EUVD
EUVD
added 2026/04/02 9:30 a.m.8 views

EUVD-2026-18132

The Webmention plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.6.2 in the 'MF2::parseauthorpage' function via the 'Receiver::post' function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations...

7.2CVSS5.9AI score0.00302EPSS
Exploits0References6
EUVD
EUVD
added 2026/04/02 9:30 a.m.7 views

EUVD-2026-18134

The Webmention plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.6.2 via the 'Tools::read' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations...

6.4CVSS5.9AI score0.00201EPSS
Exploits0References5
NVD
NVD
added 2026/04/02 8:16 a.m.7 views

CVE-2026-0688

The Webmention plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.6.2 via the 'Tools::read' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations...

6.4CVSS0.00201EPSS
Exploits0References4
Rows per page
Query Builder