Skip to main content

Misskey CVE-2026-57575

| EUVDEUVD-2026-43040 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-07-10 GitHub_M
6.9
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.8 MEDIUM

Network-reachable with no auth (PR:N), scope changes to affect internal systems (S:C), blind SSRF causes low integrity impact on subsequent systems with no confirmed data exfiltration (C:N).

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jul 10, 2026 - 22:08 vuln.today
Patch available
Jul 10, 2026 - 22:02 EUVD

DescriptionCVE.org

Misskey is an open source, federated social media platform. Prior to 2026.6.0, Misskey contains a Server-Side Request Forgery (SSRF) vulnerability in URL preview functionality in UrlPreviewService. Due to missing network restrictions before establishing outbound connections, a remote attacker can cause the Misskey server to initiate HTTP requests to loopback, private, or link-local services. Because IP address validation takes place after the request has been sent and the process is subsequently rejected, no sensitive internal data is believed to be transmitted back or exposed to the attacker. This issue is fixed in version 2026.6.0.

AnalysisAI

Server-Side Request Forgery in Misskey's UrlPreviewService allows remote unauthenticated attackers to coerce the platform's backend into initiating outbound HTTP connections toward loopback addresses, RFC-1918 private ranges, and link-local networks. The root cause is that IP address validation is applied only after the TCP connection has already been established, meaning the outbound request reaches the internal target before the check rejects it. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Submit crafted URL to preview endpoint
Delivery
DNS resolves to internal/loopback address
Exploit
UrlPreviewService opens TCP connection to target
Execution
HTTP request dispatched to internal service
Persist
Post-connection IP check rejects and aborts
Impact
Internal service receives and processes blind request

Vulnerability AssessmentAI

Exploitation The URL preview feature must be enabled and accessible - no special non-default configuration is indicated as required, meaning any Misskey instance with URL preview active (the default) is vulnerable. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) scores 6.9, reflecting easy remote triggering with no authentication or user interaction required. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated remote attacker submits a URL pointing to an attacker-controlled domain whose DNS resolves to a private or loopback address (DNS rebinding is not required - a static A record to 192.168.1.1 or 127.0.0.1 suffices). Misskey's UrlPreviewService resolves the name, opens an HTTP connection to the internal target, and dispatches the request before the IP-validation check fires and terminates the process. …
Remediation The primary fix is to upgrade Misskey to version 2026.6.0 or later, which corrects the post-connection IP validation order in UrlPreviewService (patch commit: https://github.com/misskey-dev/misskey/commit/1eac4ccf513a067b9f7b7d123057c09a389fccee). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2024-32983 HIGH POC
7.5 Jun 03

Misskey is an open source, decentralized microblogging platform. Rated high severity (CVSS 7.5), this vulnerability is r

CVE-2019-1020010 MEDIUM POC
6.1 Jul 29

Misskey before 10.102.4 allows hijacking a user's token. Rated medium severity (CVSS 6.1), this vulnerability is remotel

CVE-2023-24812 CRITICAL
9.8 Feb 22

Misskey is an open source, decentralized social media platform. Rated critical severity (CVSS 9.8), this vulnerability i

CVE-2023-52139 CRITICAL
9.6 Dec 29

Misskey is an open source, decentralized social media platform. Rated critical severity (CVSS 9.6), this vulnerability i

CVE-2025-46559 MEDIUM POC
5.4 May 05

Misskey is an open source, federated social media platform. Rated medium severity (CVSS 5.4), this vulnerability is remo

CVE-2024-52591 HIGH
8.8 Dec 18

Misskey is an open source, federated social media platform. Rated high severity (CVSS 8.8), this vulnerability is remote

CVE-2024-52590 HIGH
8.8 Dec 18

Misskey is an open source, federated social media platform. Rated high severity (CVSS 8.8), this vulnerability is remote

CVE-2024-25636 HIGH
8.8 Feb 19

Misskey is an open source, decentralized social media platform with ActivityPub support. Rated high severity (CVSS 8.8),

CVE-2025-24897 HIGH
8.2 Feb 11

Misskey is an open source, federated social media platform. Rated high severity (CVSS 8.2), this vulnerability is remote

CVE-2025-24896 HIGH
8.1 Feb 11

Misskey is an open source, federated social media platform. Rated high severity (CVSS 8.1), this vulnerability is remote

CVE-2026-28431 HIGH
7.5 Mar 10

Misskey is an open source, federated social media platform.

CVE-2026-28432 HIGH
7.5 Mar 10

federated social media platform. All Misskey server versions up to 2026.3.1 is affected by improper verification of cryp

Share

CVE-2026-57575 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy