CVE-2026-21885

MEDIUM

Miniflux 2.0.0-2.2.15 - Authenticated Server-Side Request Forgery via Media Proxy Endpoint

Title source: llm

Description

Miniflux 2 is an open source feed reader. Prior to version 2.2.16, Miniflux's media proxy endpoint (`GET /proxy/{encodedDigest}/{encodedURL}`) can be abused to perform Server-Side Request Forgery (SSRF). An authenticated user can cause Miniflux to generate a signed proxy URL for attacker-chosen media URLs embedded in feed entry content, including internal addresses (e.g., localhost, private RFC1918 ranges, or link-local metadata endpoints). Requesting the resulting `/proxy/...` URL makes Miniflux fetch and return the internal response. Version 2.2.16 fixes the issue.

References (1)

Core 1

Core References

Exploit, Vendor Advisory x_refsource_confirm

https://github.com/miniflux/v2/security/advisories/GHSA-xwh2-742g-w3wp

Scores

CVSS v3 6.5

EPSS 0.0026

EPSS Percentile 16.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-918

Status published

Products (2)

miniflux.app/v2 0 - 2.2.16Go

miniflux_project/miniflux 2.0.0 - 2.2.16

Published Jan 08, 2026

Tracked Since Feb 18, 2026