Miniflux V2 vulnerabilities

5 known vulnerabilities affecting miniflux/v2.

Total CVEs

5

CISA KEV

0

Public exploits

0

Exploited in wild

0

Severity breakdown

HIGH1MEDIUM4

Vulnerabilities

Page 1 of 1

CVE-2026-21885MEDIUMCVSS 6.5fixed in 2.2.162026-01-08

CVE-2026-21885 [MEDIUM] CWE-918 CVE-2026-21885: Miniflux 2 is an open source feed reader. Prior to version 2.2.16, Miniflux's media proxy endpoint ( Miniflux 2 is an open source feed reader. Prior to version 2.2.16, Miniflux's media proxy endpoint (`GET /proxy/{encodedDigest}/{encodedURL}`) can be abused to perform Server-Side Request Forgery (SSRF). An authenticated user can cause Miniflux to generate a signed proxy URL for attacker-chosen media URLs embedded in feed entry content, including in

CVE-2025-67713MEDIUMCVSS 5.3fixed in 2.2.152025-12-11

CVE-2025-67713 [MEDIUM] CWE-601 CVE-2025-67713: Miniflux 2 is an open source feed reader. Versions 2.2.14 and below treat redirect_url as safe when Miniflux 2 is an open source feed reader. Versions 2.2.14 and below treat redirect_url as safe when url.Parse(...).IsAbs() is false, enabling phishing flows after login. Protocol-relative URLs like //ikotaslabs.com have an empty scheme and pass that check, allowing post-login redirects to attacker-controlled sites. This issue is fixed in version 2.2.

CVE-2025-31483MEDIUMCVSS 4.8fixed in 2.2.72025-04-03

CVE-2025-31483 [MEDIUM] CWE-79 CVE-2025-31483: Miniflux is a feed reader. Due to a weak Content Security Policy on the /proxy/* route, an attacker Miniflux is a feed reader. Due to a weak Content Security Policy on the /proxy/* route, an attacker can bypass the CSP of the media proxy and execute cross-site scripting when opening external images in a new tab/window. To mitigate the vulnerability, the CSP for the media proxy has been changed from default-src 'self' to default-src 'none'; form-acti

CVE-2023-27591HIGHCVSS 7.5fixed in 2.0.432023-03-17

CVE-2023-27591 [HIGH] CWE-200 CVE-2023-27591: Miniflux is a feed reader. Prior to version 2.0.43, an unauthenticated user can retrieve Prometheus Miniflux is a feed reader. Prior to version 2.0.43, an unauthenticated user can retrieve Prometheus metrics from a publicly reachable Miniflux instance where the `METRICS_COLLECTOR` configuration option is enabled and `METRICS_ALLOWED_NETWORKS` is set to `127.0.0.1/8` (the default). A patch is available in Miniflux 2.0.43. As a workaround, set `METRICS

CVE-2023-27592MEDIUMCVSS 5.4v>= 2.0.25, < 2.0.432023-03-17

CVE-2023-27592 [MEDIUM] CWE-79 CVE-2023-27592: Miniflux is a feed reader. Since v2.0.25, Miniflux will automatically proxy images served over HTTP Miniflux is a feed reader. Since v2.0.25, Miniflux will automatically proxy images served over HTTP to prevent mixed content errors. When an outbound request made by the Go HTTP client fails, the `html.ServerError` is returned unescaped without the expected Content Security Policy header added to valid responses. By creating an RSS feed item with th