Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable with no auth (PR:N), scope changes to affect internal systems (S:C), blind SSRF causes low integrity impact on subsequent systems with no confirmed data exfiltration (C:N).
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Misskey is an open source, federated social media platform. Prior to 2026.6.0, Misskey contains a Server-Side Request Forgery (SSRF) vulnerability in URL preview functionality in UrlPreviewService. Due to missing network restrictions before establishing outbound connections, a remote attacker can cause the Misskey server to initiate HTTP requests to loopback, private, or link-local services. Because IP address validation takes place after the request has been sent and the process is subsequently rejected, no sensitive internal data is believed to be transmitted back or exposed to the attacker. This issue is fixed in version 2026.6.0.
AnalysisAI
Server-Side Request Forgery in Misskey's UrlPreviewService allows remote unauthenticated attackers to coerce the platform's backend into initiating outbound HTTP connections toward loopback addresses, RFC-1918 private ranges, and link-local networks. The root cause is that IP address validation is applied only after the TCP connection has already been established, meaning the outbound request reaches the internal target before the check rejects it. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The URL preview feature must be enabled and accessible - no special non-default configuration is indicated as required, meaning any Misskey instance with URL preview active (the default) is vulnerable. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) scores 6.9, reflecting easy remote triggering with no authentication or user interaction required. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated remote attacker submits a URL pointing to an attacker-controlled domain whose DNS resolves to a private or loopback address (DNS rebinding is not required - a static A record to 192.168.1.1 or 127.0.0.1 suffices). Misskey's UrlPreviewService resolves the name, opens an HTTP connection to the internal target, and dispatches the request before the IP-validation check fires and terminates the process. … |
| Remediation | The primary fix is to upgrade Misskey to version 2026.6.0 or later, which corrects the post-connection IP validation order in UrlPreviewService (patch commit: https://github.com/misskey-dev/misskey/commit/1eac4ccf513a067b9f7b7d123057c09a389fccee). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Misskey is an open source, decentralized microblogging platform. Rated high severity (CVSS 7.5), this vulnerability is r
Misskey before 10.102.4 allows hijacking a user's token. Rated medium severity (CVSS 6.1), this vulnerability is remotel
Misskey is an open source, decentralized social media platform. Rated critical severity (CVSS 9.8), this vulnerability i
Misskey is an open source, decentralized social media platform. Rated critical severity (CVSS 9.6), this vulnerability i
Misskey is an open source, federated social media platform. Rated medium severity (CVSS 5.4), this vulnerability is remo
Misskey is an open source, federated social media platform. Rated high severity (CVSS 8.8), this vulnerability is remote
Misskey is an open source, federated social media platform. Rated high severity (CVSS 8.8), this vulnerability is remote
Misskey is an open source, decentralized social media platform with ActivityPub support. Rated high severity (CVSS 8.8),
Misskey is an open source, federated social media platform. Rated high severity (CVSS 8.2), this vulnerability is remote
Misskey is an open source, federated social media platform. Rated high severity (CVSS 8.1), this vulnerability is remote
Misskey is an open source, federated social media platform.
federated social media platform. All Misskey server versions up to 2026.3.1 is affected by improper verification of cryp
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43040