SSRF in Lemmynet Lemmy
CVE-2026-29178
Lemmy, a link aggregator and forum for the fediverse, is vulnerable to server-side request forgery via a dependency on activitypub_federation, a framework for ActivityPub federation in Rust. Prior to version 0.19.16, the GET /api/v4/image/…
Vulnerability class: SSRF (Server-Side Request Forgery)
EPSS: 0.001 (19.3th percentile) — read the EPSS interpretation.
Affected products
- Lemmynet Lemmy — versions < 0.19.16
Weakness classification (CWE)
References
- https://github.com/LemmyNet/lemmy/security/advisories/GHSA-jvxv-2jjp-jxc3 (x_refsource_CONFIRM)
- https://github.com/LemmyNet/lemmy/commit/f47a03f56d1797bceab5f34b6f624c91cecd5871 (x_refsource_MISC)