Security: LemmyNet/lemmy
Security Advisories
View known security vulnerabilities and report new vulnerabilities privately to maintainers.
-
Federated Block activity can ban local users without site admin authorizationGHSA-vh35-q865-92vr published
May 27, 2026 by NutomicLow -
Resend verification endpoint exposes registered email addressesGHSA-qxrw-f6fh-34r7 published
Apr 30, 2026 by NutomicLow -
SSRF in /api/v3/post via Webmention dispatchGHSA-3jvj-v6w2-h948 published
Apr 20, 2026 by NutomicModerate -
SSRF and internal image disclosure in post link metadata via unvalidated og:imageGHSA-h6hf-9846-xwrq published
Apr 20, 2026 by NutomicModerate -
Blind SSRF in /api/v3/resolve_object, normal user can reach internal services and make outbound requestsGHSA-c482-7gjx-pp36 published
Apr 13, 2026 by NutomicLow -
SSRF via 0.0.0.0 bypass in activitypub-federation-rust v4_is_invalid()GHSA-q537-8fr5-cw35 published
Mar 23, 2026 by NutomicModerate -
Unauthenticated SSRF via file_type query parameter injection in image endpointGHSA-jvxv-2jjp-jxc3 published
Mar 3, 2026 by NutomicModerate -
DB performance issuesGHSA-x57w-mr53-3f5h published
Jun 24, 2025 by NutomicLow -
Local users can delete arbitrary entries from the local_image tableGHSA-373q-r73m-8mrg published
Jun 19, 2025 by NutomicModerate -
Local users can delete arbitrary pict-rs mediaGHSA-7xwp-jqhc-v6vw published
Jun 19, 2025 by NutomicModerate