CVE-2026-42180

MEDIUM 6.3

Lemmy: SSRF in /api/v3/post via Webmention dispatch

CVSS Score

6.3

EPSS Score

0.0%

EPSS Percentile

0th

Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.19.18, Lemmy allows an authenticated low-privileged user to create a link post through POST /api/v3/post. When a post is created in a public community, the backend asynchronously sends a Webmention to the attacker-controlled link target. The submitted URL is checked for syntax and scheme, but the audited code path does not reject loopback, private, or link-local destinations before the Webmention request is issued. This lets a normal user trigger server-side HTTP requests toward internal services. This issue has been patched in version 0.19.18.

CWE	CWE-918
Vendor	lemmynet
Product	lemmy
Published	May 8, 2026

Stay Ahead of the Next One

Get instant alerts for lemmynet lemmy

Be the first to know when new medium vulnerabilities affecting lemmynet lemmy are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Affected Versions

LemmyNet / lemmy

< 0.19.18

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/LemmyNet/lemmy/security/advisories/GHSA-3jvj-v6w2-h948 github.com: https://github.com/LemmyNet/lemmy/releases/tag/0.19.18