Security

Report a vulnerability

.github/SECURITY.md

Security Policy

Reporting a Vulnerability

Use Github's security advisory issue system.

SSRF in /api/v3/post via Webmention dispatch
GHSA-3jvj-v6w2-h948 published Apr 20, 2026 by Nutomic

Moderate
SSRF and internal image disclosure in post link metadata via unvalidated og:image
GHSA-h6hf-9846-xwrq published Apr 20, 2026 by Nutomic

Moderate
Blind SSRF in /api/v3/resolve_object, normal user can reach internal services and make outbound requests
GHSA-c482-7gjx-pp36 published Apr 13, 2026 by Nutomic

Low
SSRF via 0.0.0.0 bypass in activitypub-federation-rust v4_is_invalid()
GHSA-q537-8fr5-cw35 published Mar 23, 2026 by Nutomic

Moderate
Unauthenticated SSRF via file_type query parameter injection in image endpoint
GHSA-jvxv-2jjp-jxc3 published Mar 3, 2026 by Nutomic

Moderate
DB performance issues
GHSA-x57w-mr53-3f5h published Jun 24, 2025 by Nutomic

Low
Local users can delete arbitrary entries from the local_image table
GHSA-373q-r73m-8mrg published Jun 19, 2025 by Nutomic

Moderate
Local users can delete arbitrary pict-rs media
GHSA-7xwp-jqhc-v6vw published Jun 19, 2025 by Nutomic

Moderate
Purging users or communities or banning users can delete images they didn't upload/exclusively use
GHSA-wr2m-38xh-rpc9 published Apr 8, 2025 by dessalines

Moderate
Server-Side Request Forgery (SSRF) in activitypub_federation
GHSA-7723-35v7-qcxw published Feb 10, 2025 by dessalines

Moderate

Learn more about advisories related to LemmyNet/lemmy in the GitHub Advisory Database