CVE-2026-12516
Fediverse Embeds < 1.5.8 - Unauthenticated SSRF via Media Proxy
CVSS Score
5.3
EPSS Score
0.1%
EPSS Percentile
3th
The Fediverse Embeds WordPress plugin before 1.5.8 does not validate the destination of the server-side request performed by an unauthenticated media-proxying endpoint, allowing anonymous users to make the site fetch arbitrary URLs, including internal and private-network addresses, and read back the response body. This results in a full-read Server-Side Request Forgery and open proxy.
| Vendor | unknown |
| Product | fediverse embeds |
| Published | Jul 9, 2026 |
| Last Updated | Jul 9, 2026 |
Stay Ahead of the Next One
Get instant alerts for unknown fediverse embeds
Be the first to know when new medium vulnerabilities affecting unknown fediverse embeds are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
Unknown / Fediverse Embeds
0 < 1.5.8
References
Credits
0xBassia WPScan