CVE Catalog

CVE-2026-57940

LowCVSS 2.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.23%

14th percentile — higher than 14% of all known CVEs

Summary

HTMLy 3.1.1 contains a Server-Side Request Forgery (SSRF) vulnerability in the RSS feed import functionality. The function get_feed() in system/admin/admin.php passes user-supplied $feed_url directly to file_get_contents() without any validation. An authenticated attacker with administrative privileges can exploit this by entering a crafted URL (e.g., http://dnslog.example.com, file:///etc/passwd, or http://169.254.169.254 in cloud contexts) via Tools -> Import RSS. The server will then make a request to the attacker-controlled target.

Risk Assessment

The risk includes the ability to scan internal networks, read local server files (e.g., /etc/passwd), and access cloud metadata services, potentially leading to sensitive data leakage and further attack escalation.

Recommendation

It is recommended to immediately update HTMLy to the latest version, and in the meantime restrict access to the RSS import function to trusted administrators only, and implement URL validation (e.g., block internal addresses and protocols other than HTTP/HTTPS).

Original NVD description (English source)

HTMLy 3.1.1 contains a Server-Side Request Forgery (SSRF) vulnerability in the RSS feed import functionality. The function get_feed() in system/admin/admin.php passes user-supplied $feed_url directly to file_get_contents() without any validation. An authenticated attacker with administrative privileges can exploit this by entering a crafted URL (e.g., http://dnslog.example.com, file:///etc/passwd, or http://169.254.169.254 in cloud contexts) via Tools -> Import RSS. The server will then make a request to the attacker-controlled target.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS