CVE-2026-39376

Exploit

EPSS 0.04%
Veröffentlicht 07.04.2026 19:46:08
Zuletzt bearbeitet 14.04.2026 20:12:28
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

FastFeedParser is a high performance RSS, Atom and RDF parser. Prior to 0.5.10, when parse() fetches a URL that returns an HTML page containing a <meta http-equiv="refresh"> tag, it recursively calls itself with the redirect URL — with no depth limit, no visited-URL deduplication, and no redirect count cap. An attacker-controlled server that returns an infinite chain of HTML meta-refresh responses causes unbounded recursion, exhausting the Python call stack and crashing the process. This vulnerability can also be chained with the companion SSRF issue to reach internal network targets after bypassing the initial URL check. This vulnerability is fixed in 0.5.10.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Kagi ≫ Fastfeedparser SwPlatformpython Version < 0.5.10

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.04%	0.121

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-674 Uncontrolled Recursion

The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

https://github.com/kagisearch/fastfeedparser/security/advisories/GHSA-4gx2-pc4f-wq37

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2026-39376

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-39376

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-39376

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-39376