Server-Side Request Forgery Vulnerability in Lemmy Link Aggregator
CVE-2026-42180

6.3MEDIUM

Key Information:

Vendor: Lemmynet
Status: Lemmy
Vendor: CVE Published:; 8 May 2026

What is CVE-2026-42180?

A vulnerability in Lemmy, a link aggregator for the fediverse, allows authenticated low-privileged users to create a link post through the POST /api/v3/post endpoint. When a post is made in a public community, the system asynchronously sends a Webmention request to an attacker-controlled link, without properly rejecting loopback or private addresses. This oversight enables a regular user to trigger server-side HTTP requests to internal services. The issue was addressed in version 0.19.18.

Affected Version(s)

lemmy < 0.19.18

References

https://github.com/LemmyNet/lemmy/security/advisories/GHS...

x_refsource_CONFIRM

https://github.com/LemmyNet/lemmy/releases/tag/0.19.18

x_refsource_MISC

CVSS V3.1

Score:

6.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 8, 2026
Vulnerability Reserved
Apr 25, 2026

CVE-2026-42180 Data

JSON

Lemmynet

What is CVE-2026-42180?

Affected Version(s)

References

CVSS V3.1

Timeline