CVE-2026-57940
LowCVSS 2.1Exploitation Probability (EPSS)
Low risk14th percentile — higher than 14% of all known CVEs
Summary
HTMLy 3.1.1 contains a Server-Side Request Forgery (SSRF) vulnerability in the RSS feed import functionality. The function get_feed() in system/admin/admin.php passes user-supplied $feed_url directly to file_get_contents() without any validation. An authenticated attacker with administrative privileges can exploit this by entering a crafted URL (e.g., http://dnslog.example.com, file:///etc/passwd, or http://169.254.169.254 in cloud contexts) via Tools -> Import RSS. The server will then make a request to the attacker-controlled target.
Risk Assessment
The risk includes the ability to scan internal networks, read local server files (e.g., /etc/passwd), and access cloud metadata services, potentially leading to sensitive data leakage and further attack escalation.
Recommendation
It is recommended to immediately update HTMLy to the latest version, and in the meantime restrict access to the RSS import function to trusted administrators only, and implement URL validation (e.g., block internal addresses and protocols other than HTTP/HTTPS).
Original NVD description (English source)
HTMLy 3.1.1 contains a Server-Side Request Forgery (SSRF) vulnerability in the RSS feed import functionality. The function get_feed() in system/admin/admin.php passes user-supplied $feed_url directly to file_get_contents() without any validation. An authenticated attacker with administrative privileges can exploit this by entering a crafted URL (e.g., http://dnslog.example.com, file:///etc/passwd, or http://169.254.169.254 in cloud contexts) via Tools -> Import RSS. The server will then make a request to the attacker-controlled target.

