CVE-2026-21885
- EPSS 0.04%
- Veröffentlicht 08.01.2026 13:57:25
- Zuletzt bearbeitet 12.01.2026 16:55:42
Miniflux 2 is an open source feed reader. Prior to version 2.2.16, Miniflux's media proxy endpoint (`GET /proxy/{encodedDigest}/{encodedURL}`) can be abused to perform Server-Side Request Forgery (SSRF). An authenticated user can cause Miniflux to ge...
CVE-2025-67713
- EPSS 0.05%
- Veröffentlicht 11.12.2025 00:17:00
- Zuletzt bearbeitet 02.02.2026 15:05:56
Miniflux 2 is an open source feed reader. Versions 2.2.14 and below treat redirect_url as safe when url.Parse(...).IsAbs() is false, enabling phishing flows after login. Protocol-relative URLs like //ikotaslabs.com have an empty scheme and pass that ...
CVE-2023-27591
- EPSS 0.29%
- Veröffentlicht 17.03.2023 20:15:13
- Zuletzt bearbeitet 21.11.2024 07:53:12
Miniflux is a feed reader. Prior to version 2.0.43, an unauthenticated user can retrieve Prometheus metrics from a publicly reachable Miniflux instance where the `METRICS_COLLECTOR` configuration option is enabled and `METRICS_ALLOWED_NETWORKS` is se...
CVE-2023-27592
- EPSS 0.49%
- Veröffentlicht 17.03.2023 20:15:13
- Zuletzt bearbeitet 21.11.2024 07:53:13
Miniflux is a feed reader. Since v2.0.25, Miniflux will automatically proxy images served over HTTP to prevent mixed content errors. When an outbound request made by the Go HTTP client fails, the `html.ServerError` is returned unescaped without the...