Back to overview

CVE-2026-57575

MEDIUM
6.9
CVSS 4.0
Description
Misskey is an open source, federated social media platform. Prior to 2026.6.0, Misskey contains a Server-Side Request Forgery (SSRF) vulnerability in URL preview functionality in UrlPreviewService. Due to missing network restrictions before establishing outbound connections, a remote attacker can cause the Misskey server to initiate HTTP requests to loopback, private, or link-local services. Because IP address validation takes place after the request has been sent and the process is subsequently rejected, no sensitive internal data is believed to be transmitted back or exposed to the attacker. This issue is fixed in version 2026.6.0.

Metadata

CVE ID
CVE-2026-57575
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-06-24 18:49 UTC
Published
2026-07-10 20:54 UTC
Last updated
2026-07-10 20:54 UTC
Primary CWE
CWE-918
CWE-918: Server-Side Request Forgery (SSRF)
Vendor / Product
misskey-dev / misskey
Sources
cve.org  ·  NVD

Severity & Metrics

6.9 MEDIUM CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N
Affected products (1)
VendorProductPlatformVersions
misskey-dev misskey < 2026.6.0
Weakness (CWE)
CWESourceDescription
CWE-918 cna CWE-918: Server-Side Request Forgery (SSRF)
CVSS scores (1)
ScoreSeverityVersionSourceVector
6.9 MEDIUM 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N
References (3)
Back to overview