CVE-2026-21885

Miniflux 2 is an open source feed reader. Prior to version 2.2.16, Miniflux's media proxy endpoint (`GET /proxy/{encodedDigest}/{encodedURL}`) can be abused to perform Server-Side Request Forgery (SSRF). An authenticated user can cause Miniflux to generate a signed proxy URL for attacker-chosen media URLs embedded in feed entry content, including internal addresses (e.g., localhost, private RFC1918 ranges, or link-local metadata endpoints). Requesting the resulting `/proxy/...` URL makes Miniflux fetch and return the internal response. Version 2.2.16 fixes the issue.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/miniflux/v2/security/advisories/GHSA-xwh2-742g-w3wp
https://github.com/miniflux/v2/security/advisories/GHSA-xwh2-742g-w3wp

Configurations

No configuration.

History

08 Jan 2026, 16:16

Type	Values Removed	Values Added
References	~~() https://github.com/miniflux/v2/security/advisories/GHSA-xwh2-742g-w3wp -~~	() https://github.com/miniflux/v2/security/advisories/GHSA-xwh2-742g-w3wp -

08 Jan 2026, 14:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-08 14:15

Updated : 2026-01-08 18:08

NVD link : CVE-2026-21885

Mitre link : CVE-2026-21885

CVE.ORG link : CVE-2026-21885

JSON object : View

Products Affected

No product.

CWE

CWE-918

Server-Side Request Forgery (SSRF)

6.5 /10