CVE-2026-56771

NewsBlur < 14.5.0 - Server-Side Request Forgery via add_url Endpoint

CVSS 6.3 MEDIUMEPSS 0.2%CWE-918

Vexday Risk Score

13Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 6.3EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Ciclo de vida

25 jun 2026Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

NewsBlur before version 14.5.0 contains a server-side request forgery vulnerability in the add_url endpoint that allows authenticated users to make arbitrary server requests to internal networks by failing to filter private IP addresses. Attackers can exploit this to access localhost services and cloud metadata endpoints, enabling internal network scanning and sensitive data exfiltration.

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:N/SA:N

Productos afectados

samuelclay · NewsBlur

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://github.com/samuelclay/NewsBlur/commit/2e6c6812c94f35a731bda864de5aef39f18307f1 https://github.com/samuelclay/NewsBlur/commit/af742daeca7cc6c8b0d58cbea381e7bc44daa520 https://github.com/samuelclay/NewsBlur/releases/tag/Android_14.5.0 https://www.vulncheck.com/advisories/newsblur-server-side-request-forgery-via-add-url-endpoint