{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21885", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-05T17:24:36.928Z", "datePublished": "2026-01-08T13:57:25.445Z", "dateUpdated": "2026-01-08T15:55:28.121Z"}, "containers": {"cna": {"title": "Miniflux Media Proxy SSRF via /proxy endpoint allows access to internal network resources", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/miniflux/v2/security/advisories/GHSA-xwh2-742g-w3wp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/miniflux/v2/security/advisories/GHSA-xwh2-742g-w3wp"}], "affected": [{"vendor": "miniflux", "product": "v2", "versions": [{"version": "< 2.2.16", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-08T13:57:25.445Z"}, "descriptions": [{"lang": "en", "value": "Miniflux 2 is an open source feed reader. Prior to version 2.2.16, Miniflux's media proxy endpoint (`GET /proxy/{encodedDigest}/{encodedURL}`) can be abused to perform Server-Side Request Forgery (SSRF). An authenticated user can cause Miniflux to generate a signed proxy URL for attacker-chosen media URLs embedded in feed entry content, including internal addresses (e.g., localhost, private RFC1918 ranges, or link-local metadata endpoints). Requesting the resulting `/proxy/...` URL makes Miniflux fetch and return the internal response. Version 2.2.16 fixes the issue."}], "source": {"advisory": "GHSA-xwh2-742g-w3wp", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/miniflux/v2/security/advisories/GHSA-xwh2-742g-w3wp", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-08T14:52:34.949191Z", "id": "CVE-2026-21885", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-08T15:55:28.121Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21885", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-08T14:52:34.949191Z"}}}], "references": [{"url": "https://github.com/miniflux/v2/security/advisories/GHSA-xwh2-742g-w3wp", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-08T14:52:37.831Z"}}], "cna": {"title": "Miniflux Media Proxy SSRF via /proxy endpoint allows access to internal network resources", "source": {"advisory": "GHSA-xwh2-742g-w3wp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "miniflux", "product": "v2", "versions": [{"status": "affected", "version": "< 2.2.16"}]}], "references": [{"url": "https://github.com/miniflux/v2/security/advisories/GHSA-xwh2-742g-w3wp", "name": "https://github.com/miniflux/v2/security/advisories/GHSA-xwh2-742g-w3wp", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Miniflux 2 is an open source feed reader. Prior to version 2.2.16, Miniflux's media proxy endpoint (`GET /proxy/{encodedDigest}/{encodedURL}`) can be abused to perform Server-Side Request Forgery (SSRF). An authenticated user can cause Miniflux to generate a signed proxy URL for attacker-chosen media URLs embedded in feed entry content, including internal addresses (e.g., localhost, private RFC1918 ranges, or link-local metadata endpoints). Requesting the resulting `/proxy/...` URL makes Miniflux fetch and return the internal response. Version 2.2.16 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-08T13:57:25.445Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21885", "state": "PUBLISHED", "dateUpdated": "2026-01-08T15:55:28.121Z", "dateReserved": "2026-01-05T17:24:36.928Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-08T13:57:25.445Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:miniflux_project:miniflux:*:*:*:*:*:go:*:*", "matchCriteriaId": "145FED28-3379-45DD-B388-01F5ADF6A766", "versionEndExcluding": "2.2.16", "versionStartIncluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Miniflux 2 is an open source feed reader. Prior to version 2.2.16, Miniflux's media proxy endpoint (`GET /proxy/{encodedDigest}/{encodedURL}`) can be abused to perform Server-Side Request Forgery (SSRF). An authenticated user can cause Miniflux to generate a signed proxy URL for attacker-chosen media URLs embedded in feed entry content, including internal addresses (e.g., localhost, private RFC1918 ranges, or link-local metadata endpoints). Requesting the resulting `/proxy/...` URL makes Miniflux fetch and return the internal response. Version 2.2.16 fixes the issue."}], "id": "CVE-2026-21885", "lastModified": "2026-01-12T16:55:42.353", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-08T14:15:57.257", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/miniflux/v2/security/advisories/GHSA-xwh2-742g-w3wp"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/miniflux/v2/security/advisories/GHSA-xwh2-742g-w3wp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T16:44:41.007035+00:00", "value": {"mitigation_remediation": ["Upgrade Miniflux to version 2.2.16 or newer, which removes the ability to target internal addresses via the media proxy.", "If a patch is not immediately deployable, block external access to the /proxy/* endpoint or disable that endpoint in the application's configuration to prevent SSRF requests.", "Configure network segmentation so that the Miniflux server resides on a subnet that does not contain critical internal services, mitigating the impact of any future SSRF exploitation."], "summary": {"action": "Patch", "impact": "Access to Internal Network Resources"}, "threat_synthesis": {"affected_systems": "Miniflux version 2 before 2.2.16 is affected. The vulnerability is present in Miniflux v2 and has been fixed in release 2.2.16, which replaces the media proxy logic to reject internal addresses.", "description_and_impact": "The flaw is a Server\u2011Side Request Forgery in the media proxy endpoint that an authenticated user can exploit to force Miniflux to fetch arbitrary URLs. Because the endpoint accepts any encoded URL, an attacker can target internal IPs, including localhost, RFC1918 addresses, or link\u2011local cloud metadata services. The proxy then returns the fetched content, enabling reading of internal resources and potentially gleaning credentials or other sensitive information.", "risk_and_exploitability": "The CVSS score of 6.5 indicates a moderate severity level. The EPSS score is less than 1%, implying a low probability that the flaw will be exploited in the wild at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated user to generate a proxy URL, and once the URL is accessed the server contacts the target address, making the attack vector internal to the application. Attacks that succeed could expose internal services and data, but would not grant direct execution or privilege escalation on the host itself. The combination of moderate severity and low exploitation probability suggests that while monitoring is advisable, immediate actions such as patching are recommended."}}}}, "created": "2026-04-18T16:45:05.232261+00:00", "updated": "2026-04-18T16:45:05.232273+00:00", "vendors": []}