CVE-2026-12517
Fediverse Embeds < 1.5.8 - Unauthenticated SSRF via Site Info Endpoint
CVSS Score
5.3
EPSS Score
0.0%
EPSS Percentile
0th
The Fediverse Embeds WordPress plugin before 1.5.8 does not validate the destination of the server-side request performed by an unauthenticated site-info endpoint before fetching it, allowing anonymous users (the gating nonce is exposed on public pages carrying an embed) to make the site request internal and private-network URLs and read back the parsed page metadata. This is a Server-Side Request Forgery.
| Vendor | unknown |
| Product | fediverse embeds |
| Published | Jul 9, 2026 |
| Last Updated | Jul 9, 2026 |
Stay Ahead of the Next One
Get instant alerts for unknown fediverse embeds
Be the first to know when new medium vulnerabilities affecting unknown fediverse embeds are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
Unknown / Fediverse Embeds
0 < 1.5.8
References
Credits
0xBassia WPScan