Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network endpoint requires low-privilege auth; scope changes to subsequent cloud systems where high confidentiality impact arises from IAM credential exposure via metadata service.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
NewsBlur before version 14.5.0 contains a server-side request forgery vulnerability in the add_url endpoint that allows authenticated users to make arbitrary server requests to internal networks by failing to filter private IP addresses. Attackers can exploit this to access localhost services and cloud metadata endpoints, enabling internal network scanning and sensitive data exfiltration.
AnalysisAI
Server-side request forgery in NewsBlur's add_url endpoint allows any authenticated user to direct the server to issue arbitrary HTTP requests to private, loopback, or link-local addresses, including cloud instance metadata services. All NewsBlur deployments prior to version 14.5.0 (CPE: cpe:2.3:a:samuelclay:newsblur) are affected. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid authenticated NewsBlur user account, confirmed by CVSS PR:L. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:N/SA:N) accurately captures the risk profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or compromises a NewsBlur user account on a cloud-hosted instance and submits a POST request to /reader/add_url with the url parameter set to http://169.254.169.254/latest/meta-data/iam/security-credentials/. The unpatched server, lacking private-IP validation, fetches this URL and returns the cloud instance's temporary IAM role credentials in the response body. … |
| Remediation | Upgrade NewsBlur to version 14.5.0 or later; this version introduces the utils.url_safety module and replaces all unsafe outbound HTTP calls with validate_public_url() and safe_requests_get() across apps/reader/views.py, apps/rss_feeds/models.py, apps/rss_feeds/icon_importer.py, and apps/rss_feeds/page_importer.py. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39524
GHSA-hggv-jxwf-w664