Vulnerability-Lookup

CVE-2026-42180 (GCVE-0-2026-42180)

Vulnerability from cvelistv5 – Published: 2026-05-08 19:29 – Updated: 2026-05-13 17:18

Title

Lemmy: SSRF in /api/v3/post via Webmention dispatch

Summary

Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.19.18, Lemmy allows an authenticated low-privileged user to create a link post through POST /api/v3/post. When a post is created in a public community, the backend asynchronously sends a Webmention to the attacker-controlled link target. The submitted URL is checked for syntax and scheme, but the audited code path does not reject loopback, private, or link-local destinations before the Webmention request is issued. This lets a normal user trigger server-side HTTP requests toward internal services. This issue has been patched in version 0.19.18.

Severity ?

6.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE

CWE-918 - Server-Side Request Forgery (SSRF)

Assigner

GitHub_M

References

2 references

URL	Tags
https://github.com/LemmyNet/lemmy/security/adviso…	x_refsource_CONFIRM
https://github.com/LemmyNet/lemmy/releases/tag/0.19.18	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
LemmyNet	lemmy	Affected: < 0.19.18

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42180",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-13T17:17:59.971593Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-13T17:18:23.284Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/LemmyNet/lemmy/security/advisories/GHSA-3jvj-v6w2-h948"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "lemmy",
          "vendor": "LemmyNet",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.19.18"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.19.18, Lemmy allows an authenticated low-privileged user to create a link post through POST /api/v3/post. When a post is created in a public community, the backend asynchronously sends a Webmention to the attacker-controlled link target. The submitted URL is checked for syntax and scheme, but the audited code path does not reject loopback, private, or link-local destinations before the Webmention request is issued. This lets a normal user trigger server-side HTTP requests toward internal services. This issue has been patched in version 0.19.18."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918: Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-08T19:29:04.132Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/LemmyNet/lemmy/security/advisories/GHSA-3jvj-v6w2-h948",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/LemmyNet/lemmy/security/advisories/GHSA-3jvj-v6w2-h948"
        },
        {
          "name": "https://github.com/LemmyNet/lemmy/releases/tag/0.19.18",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/LemmyNet/lemmy/releases/tag/0.19.18"
        }
      ],
      "source": {
        "advisory": "GHSA-3jvj-v6w2-h948",
        "discovery": "UNKNOWN"
      },
      "title": "Lemmy: SSRF in /api/v3/post via Webmention dispatch"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-42180",
    "datePublished": "2026-05-08T19:29:04.132Z",
    "dateReserved": "2026-04-25T01:53:21.582Z",
    "dateUpdated": "2026-05-13T17:18:23.284Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-42180",
      "date": "2026-05-19",
      "epss": "0.00038",
      "percentile": "0.11331"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-42180\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-08T20:16:31.023\",\"lastModified\":\"2026-05-13T18:16:15.470\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.19.18, Lemmy allows an authenticated low-privileged user to create a link post through POST /api/v3/post. When a post is created in a public community, the backend asynchronously sends a Webmention to the attacker-controlled link target. The submitted URL is checked for syntax and scheme, but the audited code path does not reject loopback, private, or link-local destinations before the Webmention request is issued. This lets a normal user trigger server-side HTTP requests toward internal services. This issue has been patched in version 0.19.18.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L\",\"baseScore\":6.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.8,\"impactScore\":3.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-918\"}]}],\"references\":[{\"url\":\"https://github.com/LemmyNet/lemmy/releases/tag/0.19.18\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/LemmyNet/lemmy/security/advisories/GHSA-3jvj-v6w2-h948\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/LemmyNet/lemmy/security/advisories/GHSA-3jvj-v6w2-h948\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-42180\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-13T17:17:59.971593Z\"}}}], \"references\": [{\"url\": \"https://github.com/LemmyNet/lemmy/security/advisories/GHSA-3jvj-v6w2-h948\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-13T17:18:20.309Z\"}}], \"cna\": {\"title\": \"Lemmy: SSRF in /api/v3/post via Webmention dispatch\", \"source\": {\"advisory\": \"GHSA-3jvj-v6w2-h948\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"LemmyNet\", \"product\": \"lemmy\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.19.18\"}]}], \"references\": [{\"url\": \"https://github.com/LemmyNet/lemmy/security/advisories/GHSA-3jvj-v6w2-h948\", \"name\": \"https://github.com/LemmyNet/lemmy/security/advisories/GHSA-3jvj-v6w2-h948\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/LemmyNet/lemmy/releases/tag/0.19.18\", \"name\": \"https://github.com/LemmyNet/lemmy/releases/tag/0.19.18\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.19.18, Lemmy allows an authenticated low-privileged user to create a link post through POST /api/v3/post. When a post is created in a public community, the backend asynchronously sends a Webmention to the attacker-controlled link target. The submitted URL is checked for syntax and scheme, but the audited code path does not reject loopback, private, or link-local destinations before the Webmention request is issued. This lets a normal user trigger server-side HTTP requests toward internal services. This issue has been patched in version 0.19.18.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-918\", \"description\": \"CWE-918: Server-Side Request Forgery (SSRF)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-05-08T19:29:04.132Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-42180\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-13T17:18:23.284Z\", \"dateReserved\": \"2026-04-25T01:53:21.582Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-05-08T19:29:04.132Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-3JVJ-V6W2-H948

Vulnerability from github – Published: 2026-04-24 15:22 – Updated: 2026-05-13 13:34

Summary

Lemmy has SSRF in /api/v3/post via Webmention dispatch

Details

Summary

Lemmy allows an authenticated low-privileged user to create a link post through POST /api/v3/post. When a post is created in a public community, the backend asynchronously sends a Webmention to the attacker-controlled link target.

The submitted URL is checked for syntax and scheme, but the audited code path does not reject loopback, private, or link-local destinations before the Webmention request is issued. This lets a normal user trigger server-side HTTP requests toward internal services.

Details

The entry point is the normal post creation API. The user-controlled url field is accepted, normalized with diesel_url_create(), and only validated with is_valid_url(). That validation allows http and https but does not implement internal address rejection.

The post creation flow then schedules Webmention delivery for public communities. This creates a direct source-to-sink path from an externally supplied post URL to a server-side outbound HTTP request.

Core vulnerable code path:

// crates/api_crud/src/post/create.rs
let url = diesel_url_create(data.url.as_deref())?;
if let Some(url) = &url {
  is_url_blocked(url, &url_blocklist)?;
  is_valid_url(url)?;
}

// crates/utils/src/utils/validation.rs
pub fn is_valid_url(url: &Url) -> LemmyResult<()> {
  let is_valid = ["http", "https", "magnet"].contains(&url.scheme());
  if !is_valid {
    Err(LemmyErrorType::InvalidUrl)?
  }
  Ok(())
}

// crates/api_crud/src/post/create.rs
if community.visibility == CommunityVisibility::Public {
  let post = inserted_post.clone();
  let url = url.clone();
  spawn_try_task(async move {
    if let Some(url) = url {
      Webmention::new(post.ap_id.clone().into(), url.into()).send().await?;
    }
    Ok(())
  });
}

These snippets matter because they show that the attacker controls CreatePost.url, the only validation is scheme-level, and the resulting URL is later used for server-side Webmention delivery.

PoC

_Complete instructions, including specific configuration details, to reproduce the vulnerability._Prerequisites:

The attacker has a valid low-privileged account.
The attacker can post to a public community.

Practical reproduction flow:

Run an HTTP listener on an internal or loopback-reachable address from the Lemmy server's perspective, such as 127.0.0.1:8081.
Authenticate as a normal user.
Submit a post to a public community with url set to the internal target.
Observe the Lemmy API return a normal post creation response.
Observe the internal HTTP listener receive a request from the Lemmy server shortly afterwards.

Complete PoC:

POST /api/v3/post HTTP/1.1
Host: victim.example
Authorization: Bearer <low-priv-jwt>
Content-Type: application/json

{
  "name": "wm-ssrf",
  "community_id": 1,
  "url": "http://127.0.0.1:8081/",
  "body": null,
  "alt_text": null,
  "honeypot": null,
  "nsfw": false,
  "language_id": null,
  "custom_thumbnail": null
}

Outcome:

The API returns a successful post_view response.
The Lemmy server later issues an outbound request toward http://127.0.0.1:8081/ as part of Webmention processing.

Impact

An authenticated user can use the application server as a blind SSRF primitive against internal HTTP services. This can expose internal network reachability, trigger internal webhooks or administrative endpoints, and expand the attack surface beyond the public deployment boundary.

Because the sink is reached after ordinary user content submission, the issue is practical to exploit in real deployments where normal users can post to public communities.

Severity ?

6.3 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "lemmy_api_common"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.19.18"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42180"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-24T15:22:49Z",
    "nvd_published_at": "2026-05-08T20:16:31Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nLemmy allows an authenticated low-privileged user to create a link post through `POST /api/v3/post`. When a post is created in a public community, the backend asynchronously sends a Webmention to the attacker-controlled link target.\n\nThe submitted URL is checked for syntax and scheme, but the audited code path does not reject loopback, private, or link-local destinations before the Webmention request is issued. This lets a normal user trigger server-side HTTP requests toward internal services.\n\n### Details\nThe entry point is the normal post creation API. The user-controlled `url` field is accepted, normalized with `diesel_url_create()`, and only validated with `is_valid_url()`. That validation allows `http` and `https` but does not implement internal address rejection.\n\nThe post creation flow then schedules Webmention delivery for public communities. This creates a direct source-to-sink path from an externally supplied post URL to a server-side outbound HTTP request.\n\nCore vulnerable code path:\n\n```rust\n// crates/api_crud/src/post/create.rs\nlet url = diesel_url_create(data.url.as_deref())?;\nif let Some(url) = \u0026url {\n  is_url_blocked(url, \u0026url_blocklist)?;\n  is_valid_url(url)?;\n}\n```\n\n```rust\n// crates/utils/src/utils/validation.rs\npub fn is_valid_url(url: \u0026Url) -\u003e LemmyResult\u003c()\u003e {\n  let is_valid = [\"http\", \"https\", \"magnet\"].contains(\u0026url.scheme());\n  if !is_valid {\n    Err(LemmyErrorType::InvalidUrl)?\n  }\n  Ok(())\n}\n```\n\n```rust\n// crates/api_crud/src/post/create.rs\nif community.visibility == CommunityVisibility::Public {\n  let post = inserted_post.clone();\n  let url = url.clone();\n  spawn_try_task(async move {\n    if let Some(url) = url {\n      Webmention::new(post.ap_id.clone().into(), url.into()).send().await?;\n    }\n    Ok(())\n  });\n}\n```\n\nThese snippets matter because they show that the attacker controls `CreatePost.url`, the only validation is scheme-level, and the resulting URL is later used for server-side Webmention delivery.\n\n### PoC\n_Complete instructions, including specific configuration details, to reproduce the vulnerability._Prerequisites:\n\n- The attacker has a valid low-privileged account.\n- The attacker can post to a public community.\n\nPractical reproduction flow:\n\n1. Run an HTTP listener on an internal or loopback-reachable address from the Lemmy server\u0027s perspective, such as `127.0.0.1:8081`.\n2. Authenticate as a normal user.\n3. Submit a post to a public community with `url` set to the internal target.\n4. Observe the Lemmy API return a normal post creation response.\n5. Observe the internal HTTP listener receive a request from the Lemmy server shortly afterwards.\n\nComplete PoC:\n\n```http\nPOST /api/v3/post HTTP/1.1\nHost: victim.example\nAuthorization: Bearer \u003clow-priv-jwt\u003e\nContent-Type: application/json\n\n{\n  \"name\": \"wm-ssrf\",\n  \"community_id\": 1,\n  \"url\": \"http://127.0.0.1:8081/\",\n  \"body\": null,\n  \"alt_text\": null,\n  \"honeypot\": null,\n  \"nsfw\": false,\n  \"language_id\": null,\n  \"custom_thumbnail\": null\n}\n```\n\nOutcome:\n\n- The API returns a successful `post_view` response.\n- The Lemmy server later issues an outbound request toward `http://127.0.0.1:8081/` as part of Webmention processing.\n### Impact\nAn authenticated user can use the application server as a blind SSRF primitive against internal HTTP services. This can expose internal network reachability, trigger internal webhooks or administrative endpoints, and expand the attack surface beyond the public deployment boundary.\n\nBecause the sink is reached after ordinary user content submission, the issue is practical to exploit in real deployments where normal users can post to public communities.",
  "id": "GHSA-3jvj-v6w2-h948",
  "modified": "2026-05-13T13:34:08Z",
  "published": "2026-04-24T15:22:49Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/LemmyNet/lemmy/security/advisories/GHSA-3jvj-v6w2-h948"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42180"
    },
    {
      "type": "WEB",
      "url": "https://github.com/LemmyNet/lemmy/commit/1f06693b708020c5c3a3752bd2f1c6006a75e9bc"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/LemmyNet/lemmy"
    },
    {
      "type": "WEB",
      "url": "https://github.com/LemmyNet/lemmy/releases/tag/0.19.18"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Lemmy has SSRF in /api/v3/post via Webmention dispatch"
}

FKIE_CVE-2026-42180

Vulnerability from fkie_nvd - Published: 2026-05-08 20:16 - Updated: 2026-05-13 18:16

Severity ?

6.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/LemmyNet/lemmy/releases/tag/0.19.18
	security-advisories@github.com	https://github.com/LemmyNet/lemmy/security/advisories/GHSA-3jvj-v6w2-h948
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/LemmyNet/lemmy/security/advisories/GHSA-3jvj-v6w2-h948

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.19.18, Lemmy allows an authenticated low-privileged user to create a link post through POST /api/v3/post. When a post is created in a public community, the backend asynchronously sends a Webmention to the attacker-controlled link target. The submitted URL is checked for syntax and scheme, but the audited code path does not reject loopback, private, or link-local destinations before the Webmention request is issued. This lets a normal user trigger server-side HTTP requests toward internal services. This issue has been patched in version 0.19.18."
    }
  ],
  "id": "CVE-2026-42180",
  "lastModified": "2026-05-13T18:16:15.470",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 6.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-05-08T20:16:31.023",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/LemmyNet/lemmy/releases/tag/0.19.18"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/LemmyNet/lemmy/security/advisories/GHSA-3jvj-v6w2-h948"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://github.com/LemmyNet/lemmy/security/advisories/GHSA-3jvj-v6w2-h948"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-918"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-42180 (GCVE-0-2026-42180)

GHSA-3JVJ-V6W2-H948

Summary

Details

PoC

Impact

FKIE_CVE-2026-42180

Tags

Sightings

Nomenclature