Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Network-reachable HTTP endpoint, single crafted request, no authentication or user interaction, code injection yields full confidentiality, integrity and availability impact within the web application's privileges.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
An issue in the loopback request handling component of fossar selfoss v2.20-SNAPSHOT allows attackers to execute arbitrary commands and obtain sensitive information via supplying a crafted HTTP request.
AnalysisAI
Remote code execution in fossar selfoss v2.20-SNAPSHOT allows unauthenticated attackers to execute arbitrary commands and retrieve sensitive data by sending a crafted HTTP request to the loopback request handling component. The flaw carries a CVSS 9.8 score and a public gist (likely containing proof-of-concept material) is referenced, though EPSS exploitation probability remains low at 0.19% and the issue is not listed in CISA KEV.
Technical ContextAI
selfoss is an open-source PHP-based RSS reader, multi-purpose live stream, mashup and aggregation web application maintained by the fossar organization. The vulnerability is classified as CWE-94 (Improper Control of Generation of Code, i.e. Code Injection) and resides in the loopback request handling component - the internal mechanism selfoss uses to dispatch HTTP requests to itself, typically used for spout (feed source) processing and background tasks. Improper sanitization or validation of attacker-controlled input that flows into a code-execution sink (such as eval, dynamic include, or command shell call) within this loopback path enables an attacker to coerce the server into executing arbitrary code in the application's context.
RemediationAI
No vendor-released patch identified at time of analysis - the EUVD and NVD references do not cite a fixed version or commit. Operators should monitor the fossar/selfoss GitHub repository for a security release that supersedes v2.20-SNAPSHOT and upgrade as soon as one is published. As compensating controls in the interim, restrict network exposure of the selfoss instance by placing it behind an authenticating reverse proxy (HTTP basic auth or SSO) so that anonymous requests cannot reach the loopback endpoint, and firewall the application port to trusted source IPs only; this preserves normal feed-reader use for known users but breaks any public-facing deployment. Consider running selfoss under a low-privilege OS user with no shell, and applying egress filtering from the host so that successful RCE cannot be used to fetch second-stage payloads or exfiltrate data; consult the gist at https://gist.github.com/pyuysig/272bf96c028ed45ad010b7c75937c914 and the NVD record at https://nvd.nist.gov/vuln/detail/CVE-2026-50872 for any later-added mitigation guidance.
Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali
Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST
Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al
In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o
Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when
Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_
Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc
Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s
An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge
An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36770
GHSA-gqmg-cfhg-mw2q