CVE-2026-39376

HIGH

FastFeedParser <0.5.10 Meta-Refresh Redirects - Denial of Service

Title source: manual

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-39376. PoCs published by redyank.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2026-39376, an infinite redirect loop DoS vulnerability in the `fastfeedparser` library. The vulnerability arises from unbounded recursion in the `parse()` function when processing HTML meta-refresh tags, leading to stack exhaustion and potential SSRF chaining.

Description

FastFeedParser is a high performance RSS, Atom and RDF parser. Prior to 0.5.10, when parse() fetches a URL that returns an HTML page containing a <meta http-equiv="refresh"> tag, it recursively calls itself with the redirect URL — with no depth limit, no visited-URL deduplication, and no redirect count cap. An attacker-controlled server that returns an infinite chain of HTML meta-refresh responses causes unbounded recursion, exhausting the Python call stack and crashing the process. This vulnerability can also be chained with the companion SSRF issue to reach internal network targets after bypassing the initial URL check. This vulnerability is fixed in 0.5.10.

Exploits (1)

nomisec WRITEUP

by redyank · poc

https://github.com/redyank/CVE-2026-39376

View Code ZIP pw:eip

This repository provides a detailed technical analysis of CVE-2026-39376, an infinite redirect loop DoS vulnerability in the `fastfeedparser` library. The vulnerability arises from unbounded recursion in the `parse()` function when processing HTML meta-refresh tags, leading to stack exhaustion and potential SSRF chaining.

Classification

Writeup 100%

Attack Type

Dos

Complexity

Moderate

Reliability

Reliable

Target: fastfeedparser (version not specified)

No auth needed

Prerequisites: User-supplied feed URL input to an application using `fastfeedparser.parse()`

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed Apr 10, 2026 Full analysis →

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/kagisearch/fastfeedparser/security/advisories/GHSA-4gx2-pc4f-wq37

Scores

CVSS v3 7.5

EPSS 0.0008

EPSS Percentile 23.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-674

Status published

Products (3)

kagi/fastfeedparser < 0.5.10

kagisearch/fastfeedparser < 0.5.10

pypi/fastfeedparser 0 - 0.5.10PyPI

Published Apr 07, 2026

Tracked Since Apr 08, 2026