Skip to main content

fossar selfoss CVE-2026-50872

| EUVDEUVD-2026-36770 CRITICAL
Code Injection (CWE-94)
2026-06-15 mitre GHSA-gqmg-cfhg-mw2q
9.8
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Network-reachable HTTP endpoint, single crafted request, no authentication or user interaction, code injection yields full confidentiality, integrity and availability impact within the web application's privileges.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Jun 16, 2026 - 15:33 vuln.today
CVSS changed
Jun 16, 2026 - 15:22 NVD
9.8 (CRITICAL)
CVE Published
Jun 15, 2026 - 00:00 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

An issue in the loopback request handling component of fossar selfoss v2.20-SNAPSHOT allows attackers to execute arbitrary commands and obtain sensitive information via supplying a crafted HTTP request.

AnalysisAI

Remote code execution in fossar selfoss v2.20-SNAPSHOT allows unauthenticated attackers to execute arbitrary commands and retrieve sensitive data by sending a crafted HTTP request to the loopback request handling component. The flaw carries a CVSS 9.8 score and a public gist (likely containing proof-of-concept material) is referenced, though EPSS exploitation probability remains low at 0.19% and the issue is not listed in CISA KEV.

Technical ContextAI

selfoss is an open-source PHP-based RSS reader, multi-purpose live stream, mashup and aggregation web application maintained by the fossar organization. The vulnerability is classified as CWE-94 (Improper Control of Generation of Code, i.e. Code Injection) and resides in the loopback request handling component - the internal mechanism selfoss uses to dispatch HTTP requests to itself, typically used for spout (feed source) processing and background tasks. Improper sanitization or validation of attacker-controlled input that flows into a code-execution sink (such as eval, dynamic include, or command shell call) within this loopback path enables an attacker to coerce the server into executing arbitrary code in the application's context.

RemediationAI

No vendor-released patch identified at time of analysis - the EUVD and NVD references do not cite a fixed version or commit. Operators should monitor the fossar/selfoss GitHub repository for a security release that supersedes v2.20-SNAPSHOT and upgrade as soon as one is published. As compensating controls in the interim, restrict network exposure of the selfoss instance by placing it behind an authenticating reverse proxy (HTTP basic auth or SSO) so that anonymous requests cannot reach the loopback endpoint, and firewall the application port to trusted source IPs only; this preserves normal feed-reader use for known users but breaks any public-facing deployment. Consider running selfoss under a low-privilege OS user with no shell, and applying egress filtering from the host so that successful RCE cannot be used to fetch second-stage payloads or exfiltrate data; consult the gist at https://gist.github.com/pyuysig/272bf96c028ed45ad010b7c75937c914 and the NVD record at https://nvd.nist.gov/vuln/detail/CVE-2026-50872 for any later-added mitigation guidance.

More in N A

View all
CVE-2026-31072 CRITICAL POC
9.8 May 19

Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali

CVE-2026-36356 CRITICAL POC
9.1 May 05

Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST

CVE-2026-31071 CRITICAL POC
9.1 May 19

Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al

CVE-2025-66391 HIGH POC
8.8 Jun 17

In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o

CVE-2026-26740 HIGH POC
8.2 Mar 18

Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when

CVE-2025-60464 HIGH POC
7.8 Jun 25

Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_

CVE-2026-36355 HIGH POC
7.7 May 05

Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc

CVE-2025-60474 HIGH POC
7.5 Jun 24

Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s

CVE-2026-38639 HIGH POC
7.5 Jun 26

An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S

CVE-2026-38641 HIGH POC
7.5 Jun 26

Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge

CVE-2026-38637 HIGH POC
7.5 Jun 25

An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S

CVE-2026-38640 HIGH POC
7.5 Jun 25

Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce

Share

CVE-2026-50872 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy