{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-29178", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-04T14:44:00.713Z", "datePublished": "2026-03-06T17:56:09.378Z", "dateUpdated": "2026-03-06T18:33:08.993Z"}, "containers": {"cna": {"title": "Lemmy: Unauthenticated SSRF via file_type query parameter injection in image endpoint", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/LemmyNet/lemmy/security/advisories/GHSA-jvxv-2jjp-jxc3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/LemmyNet/lemmy/security/advisories/GHSA-jvxv-2jjp-jxc3"}, {"name": "https://github.com/LemmyNet/lemmy/commit/f47a03f56d1797bceab5f34b6f624c91cecd5871", "tags": ["x_refsource_MISC"], "url": "https://github.com/LemmyNet/lemmy/commit/f47a03f56d1797bceab5f34b6f624c91cecd5871"}], "affected": [{"vendor": "LemmyNet", "product": "lemmy", "versions": [{"version": "< 0.19.16", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T17:56:09.378Z"}, "descriptions": [{"lang": "en", "value": "Lemmy, a link aggregator and forum for the fediverse, is vulnerable to server-side request forgery via a dependency on activitypub_federation, a framework for ActivityPub federation in Rust. Prior to version 0.19.16, the GET /api/v4/image/{filename} endpoint is vulnerable to unauthenticated SSRF through parameter injection in the file_type query parameter. An attacker can inject arbitrary query parameters into the internal request to pict-rs, including the proxy parameter which causes pict-rs to fetch arbitrary URLs. This issue has been patched in version 0.19.16."}], "source": {"advisory": "GHSA-jvxv-2jjp-jxc3", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/LemmyNet/lemmy/security/advisories/GHSA-jvxv-2jjp-jxc3", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-06T18:33:04.955735Z", "id": "CVE-2026-29178", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T18:33:08.993Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-29178", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-06T18:33:04.955735Z"}}}], "references": [{"url": "https://github.com/LemmyNet/lemmy/security/advisories/GHSA-jvxv-2jjp-jxc3", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T18:32:57.675Z"}}], "cna": {"title": "Lemmy: Unauthenticated SSRF via file_type query parameter injection in image endpoint", "source": {"advisory": "GHSA-jvxv-2jjp-jxc3", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "LemmyNet", "product": "lemmy", "versions": [{"status": "affected", "version": "< 0.19.16"}]}], "references": [{"url": "https://github.com/LemmyNet/lemmy/security/advisories/GHSA-jvxv-2jjp-jxc3", "name": "https://github.com/LemmyNet/lemmy/security/advisories/GHSA-jvxv-2jjp-jxc3", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/LemmyNet/lemmy/commit/f47a03f56d1797bceab5f34b6f624c91cecd5871", "name": "https://github.com/LemmyNet/lemmy/commit/f47a03f56d1797bceab5f34b6f624c91cecd5871", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Lemmy, a link aggregator and forum for the fediverse, is vulnerable to server-side request forgery via a dependency on activitypub_federation, a framework for ActivityPub federation in Rust. Prior to version 0.19.16, the GET /api/v4/image/{filename} endpoint is vulnerable to unauthenticated SSRF through parameter injection in the file_type query parameter. An attacker can inject arbitrary query parameters into the internal request to pict-rs, including the proxy parameter which causes pict-rs to fetch arbitrary URLs. This issue has been patched in version 0.19.16."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T17:56:09.378Z"}}}, "cveMetadata": {"cveId": "CVE-2026-29178", "state": "PUBLISHED", "dateUpdated": "2026-03-06T18:33:08.993Z", "dateReserved": "2026-03-04T14:44:00.713Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-06T17:56:09.378Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Lemmy, a link aggregator and forum for the fediverse, is vulnerable to server-side request forgery via a dependency on activitypub_federation, a framework for ActivityPub federation in Rust. Prior to version 0.19.16, the GET /api/v4/image/{filename} endpoint is vulnerable to unauthenticated SSRF through parameter injection in the file_type query parameter. An attacker can inject arbitrary query parameters into the internal request to pict-rs, including the proxy parameter which causes pict-rs to fetch arbitrary URLs. This issue has been patched in version 0.19.16."}, {"lang": "es", "value": "Lemmy, un agregador de enlaces y foro para el fediverso, es vulnerable a la falsificaci\u00f3n de petici\u00f3n del lado del servidor a trav\u00e9s de una dependencia de activitypub_federation, un framework para la federaci\u00f3n de ActivityPub en Rust. Antes de la versi\u00f3n 0.19.16, el endpoint GET /API/v4/image/{filename} es vulnerable a SSRF no autenticado a trav\u00e9s de la inyecci\u00f3n de par\u00e1metros en el par\u00e1metro de consulta file_type. Un atacante puede inyectar par\u00e1metros de consulta arbitrarios en la petici\u00f3n interna a pict-rs, incluyendo el par\u00e1metro proxy que hace que pict-rs obtenga URLs arbitrarias. Este problema ha sido parcheado en la versi\u00f3n 0.19.16."}], "id": "CVE-2026-29178", "lastModified": "2026-04-28T21:11:07.100", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-06T18:16:20.650", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/LemmyNet/lemmy/commit/f47a03f56d1797bceab5f34b6f624c91cecd5871"}, {"source": "security-advisories@github.com", "url": "https://github.com/LemmyNet/lemmy/security/advisories/GHSA-jvxv-2jjp-jxc3"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/LemmyNet/lemmy/security/advisories/GHSA-jvxv-2jjp-jxc3"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.19.16)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "lemmy", "source": "cna", "vendor": "LemmyNet"}, "product": "lemmy", "vendor": "lemmynet"}], "analysis": {"en": {"generated_at": "2026-04-16T11:15:59.204160+00:00", "value": {"mitigation_remediation": ["Upgrade Lemmy to version\u202f0.19.16 or later, which contains the fix for the SSRF flaw.", "If an upgrade cannot be performed immediately, restrict access to the /api/v4/image endpoint to authenticated users or internal networks by configuring a firewall or application\u2011layer access control.", "Disable or limit outbound traffic from the server or the pict\u2011rs component, or deploy a network proxy that filters outbound requests to prevent unintended SSRF."], "summary": {"action": "Immediate Patch", "impact": "Remote Server\u2011Side Request Forgery"}, "threat_synthesis": {"affected_systems": "The flaw exists in LemmyNet Lemmy versions older than 0.19.16, where the activitypub_federation dependency is used to route image requests via pict\u2011rs.", "description_and_impact": "The Lemmy link aggregator is vulnerable to a Server\u2011Side Request Forgery (SSRF) that allows an unauthenticated attacker to inject arbitrary query parameters into the file_type query string of the /api/v4/image/{filename} endpoint, causing the internal pict\u2011rs service to fetch arbitrary URLs. This flaw permits the attacker to coerce the server into making outbound HTTP requests to arbitrary destinations, potentially exposing internal resources or exfiltrating data. The weakness is a classic case of insecure proxy use, mapped to CWE\u2011918.", "risk_and_exploitability": "The vulnerability has a CVSS score of 7.7 and an EPSS score less than 1%, indicating high severity but very low probability of exploitation. It is not listed in CISA\u2019s KEV catalog. The attack vector is likely remote, through the publicly accessible /api/v4/image endpoint, and requires no authentication. The patch is available in version 0.19.16, making upgrade the most effective mitigation."}}}}, "created": "2026-03-09T10:07:10.497069+00:00", "updated": "2026-04-16T11:30:15.892778+00:00", "vendors": ["lemmynet", "lemmynet$PRODUCT$lemmy"]}