Miniflux
Monthly
Miniflux's media proxy endpoint is vulnerable to Server-Side Request Forgery (SSRF) in versions prior to 2.2.16, allowing authenticated users to craft malicious proxy URLs that force the application to fetch and expose responses from internal network resources including localhost and private IP ranges. An attacker with valid credentials can abuse this to access sensitive internal services and metadata endpoints by embedding specially crafted URLs in feed content. Public exploit code exists for this vulnerability, and no patch is currently available for affected installations.
Miniflux's media proxy endpoint is vulnerable to Server-Side Request Forgery (SSRF) in versions prior to 2.2.16, allowing authenticated users to craft malicious proxy URLs that force the application to fetch and expose responses from internal network resources including localhost and private IP ranges. An attacker with valid credentials can abuse this to access sensitive internal services and metadata endpoints by embedding specially crafted URLs in feed content. Public exploit code exists for this vulnerability, and no patch is currently available for affected installations.