{"id":"CVE-2026-21885","summary":"Miniflux Media Proxy SSRF via /proxy endpoint allows access to internal network resources","details":"Miniflux 2 is an open source feed reader. Prior to version 2.2.16, Miniflux's media proxy endpoint (`GET /proxy/{encodedDigest}/{encodedURL}`) can be abused to perform Server-Side Request Forgery (SSRF). An authenticated user can cause Miniflux to generate a signed proxy URL for attacker-chosen media URLs embedded in feed entry content, including internal addresses (e.g., localhost, private RFC1918 ranges, or link-local metadata endpoints). Requesting the resulting `/proxy/...` URL makes Miniflux fetch and return the internal response. Version 2.2.16 fixes the issue.","aliases":["GHSA-xwh2-742g-w3wp","GO-2026-4287"],"modified":"2026-03-23T05:03:34.802339Z","published":"2026-01-08T13:57:25.445Z","related":["SUSE-SU-2026:0142-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/21xxx/CVE-2026-21885.json","cwe_ids":["CWE-918"],"cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/21xxx/CVE-2026-21885.json"},{"type":"ADVISORY","url":"https://github.com/miniflux/v2/security/advisories/GHSA-xwh2-742g-w3wp"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-21885"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/miniflux/v2","events":[{"introduced":"9652dfa1feccd15bbb56d61281f148f71afcb800"},{"fixed":"6439d352d29fb1b6a9543c2309a0cc25f57ac68d"}]}],"versions":["2.0.0","2.0.1","2.0.10","2.0.11","2.0.12","2.0.13","2.0.14","2.0.15","2.0.16","2.0.17","2.0.18","2.0.19","2.0.2","2.0.20","2.0.21","2.0.22","2.0.23","2.0.24","2.0.25","2.0.26","2.0.27","2.0.28","2.0.29","2.0.3","2.0.30","2.0.31","2.0.32","2.0.33","2.0.34","2.0.35","2.0.36","2.0.37","2.0.38","2.0.39","2.0.4","2.0.40","2.0.41","2.0.42","2.0.43","2.0.44","2.0.45","2.0.46","2.0.47","2.0.48","2.0.49","2.0.5","2.0.50","2.0.51","2.0.6","2.0.7","2.0.8","2.0.9","2.1.0","2.1.1","2.1.2","2.1.3","2.1.4","2.2.0","2.2.1","2.2.10","2.2.11","2.2.12","2.2.13","2.2.14","2.2.15","2.2.2","2.2.3","2.2.4","2.2.5","2.2.6","2.2.7","2.2.8","2.2.9","v1.0.46","v2.0.46","v2.0.47","v2.0.48","v2.0.49","v2.0.51","v2.1.1","v2.1.2","v2.2.0","v2.2.10","v2.2.11","v2.2.12","v2.2.13","v2.2.14","v2.2.15","v2.2.3","v2.2.7","v2.2.8"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-21885.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}]}