CVE Catalog

CVE-2026-56771

HighCVSS 8.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.20%

10th percentile — higher than 10% of all known CVEs

Summary

NewsBlur before version 14.5.0 contains a server-side request forgery vulnerability in the add_url endpoint that allows authenticated users to make arbitrary server requests to internal networks by failing to filter private IP addresses. Attackers can exploit this to access localhost services and cloud metadata endpoints, enabling internal network scanning and sensitive data exfiltration.

Risk Assessment

The risk for the organization includes the possibility of attacks on internal network resources, including local services and cloud metadata, which can lead to leakage of confidential information and privilege escalation in the environment.

Recommendation

It is recommended to immediately update NewsBlur to version 14.5.0 or later, which includes a fix filtering private IP addresses in the add_url endpoint.

Original NVD description (English source)

NewsBlur before version 14.5.0 contains a server-side request forgery vulnerability in the add_url endpoint that allows authenticated users to make arbitrary server requests to internal networks by failing to filter private IP addresses. Attackers can exploit this to access localhost services and cloud metadata endpoints, enabling internal network scanning and sensitive data exfiltration.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS