Unbounded Recursion Vulnerability in FastFeedParser by Kagisearch
CVE-2026-39376

7.5HIGH

Key Information:

Vendor: Kagisearch
Status: Fastfeedparser
Vendor: CVE Published:; 7 April 2026

What is CVE-2026-39376?

The FastFeedParser library, utilized for parsing RSS, Atom, and RDF feeds, is prone to an unbounded recursion vulnerability. In versions prior to 0.5.10, the parse() function can be exploited when it encounters a redirect URL that invokes HTML meta-refresh tags. This flaw allows an attacker to create an infinite loop of redirects, leading to excessive consumption of resources that can crash the Python process. Additional concerns arise as this vulnerability can be exploited alongside a Server-Side Request Forgery (SSRF) issue to target internal networks, potentially bypassing initial security checks.

Affected Version(s)

fastfeedparser < 0.5.10

References

https://github.com/kagisearch/fastfeedparser/security/adv...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Apr 6, 2026

CVE-2026-39376 Data

JSON