CVE-2026-56771
HIGHNewsBlur < 14.5.0 - Server-Side Request Forgery via add_url Endpoint
Title source: cnaDescription
NewsBlur before version 14.5.0 contains a server-side request forgery vulnerability in the add_url endpoint that allows authenticated users to make arbitrary server requests to internal networks by failing to filter private IP addresses. Attackers can exploit this to access localhost services and cloud metadata endpoints, enabling internal network scanning and sensitive data exfiltration.
References (4)
Core 4
Core References
Release Notes release-notes
Release Notes
https://github.com/samuelclay/NewsBlur/releases/tag/Android_14.5.0
Patch patch
Patch Commit (1)
https://github.com/samuelclay/NewsBlur/commit/2e6c6812c94f35a731bda864de5aef39f18307f1
Patch patch
Patch Commit (2)
https://github.com/samuelclay/NewsBlur/commit/af742daeca7cc6c8b0d58cbea381e7bc44daa520
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/newsblur-server-side-request-forgery-via-add-url-endpoint
Scores
CVSS v3
8.5
EPSS
0.0020
EPSS Percentile
10.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-918
Status
published
Products (1)
samuelclay/NewsBlur
< 14.5.0
Published
Jun 25, 2026
Tracked Since
Jun 26, 2026