CVE-2026-21885Server-Side Request Forgery in V2

CWE-918Server-Side Request Forgery7 documents5 sources
Severity
6.5MEDIUMNVD
EPSS
0.0%
top 86.59%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Miniflux V2Miniflux Project MinifluxMiniflux.app V2+1 more
Timeline
PublishedJan 8
Latest updateJan 12

Description

Miniflux 2 is an open source feed reader. Prior to version 2.2.16, Miniflux's media proxy endpoint (`GET /proxy/{encodedDigest}/{encodedURL}`) can be abused to perform Server-Side Request Forgery (SSRF). An authenticated user can cause Miniflux to generate a signed proxy URL for attacker-chosen media URLs embedded in feed entry content, including internal addresses (e.g., localhost, private RFC1918 ranges, or link-local metadata endpoints). Requesting the resulting `/proxy/...` URL makes Miniflu

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages5 packages

CVEListV5miniflux/v2< 2.2.16
Gominiflux.app/v2< 2.2.16
debiandebian/miniflux< miniflux 2.2.16-1 (forky)
NVDminiflux_project/miniflux2.0.02.2.16
Debianminiflux_project/miniflux< 2.2.16-1

🔴Vulnerability Details

4
OSV
Miniflux Media Proxy SSRF via /proxy endpoint allows access to internal network resources in miniflux.app2026-01-12
OSV
CVE-2026-21885: Miniflux 2 is an open source feed reader2026-01-08
OSV
Miniflux Media Proxy SSRF via /proxy endpoint allows access to internal network resources2026-01-07
GHSA
Miniflux Media Proxy SSRF via /proxy endpoint allows access to internal network resources2026-01-07

📋Vendor Advisories

1
Debian
CVE-2026-21885: miniflux - Miniflux 2 is an open source feed reader. Prior to version 2.2.16, Miniflux's me...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-21885 Impact, Exploitability, and Mitigation Steps | Wiz