Open Graph Image Fetching Vulnerability in Lemmy by LemmyNet
CVE-2026-42181

6.5MEDIUM

Key Information:

Vendor: Lemmynet
Status: Lemmy
Vendor: CVE Published:; 8 May 2026

What is CVE-2026-42181?

Lemmy, a platform for link aggregation and forums, contains a vulnerability wherein authenticated low-privileged users can exploit the Open Graph image fetching feature. Specifically, prior to version 0.19.18, Lemmy fails to enforce restrictions on the extracted Open Graph image URLs during the preview image generation process. This oversight allows a user to submit a page whose image points to an internal server, prompting Lemmy to fetch and store this image server-side, potentially leading to information leaks or exposure of sensitive internal resources. Users are encouraged to update to version 0.19.18 to mitigate this risk.

Affected Version(s)

lemmy < 0.19.18

References

https://github.com/LemmyNet/lemmy/security/advisories/GHS...

x_refsource_CONFIRM

https://github.com/LemmyNet/lemmy/releases/tag/0.19.18

x_refsource_MISC

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 8, 2026
Vulnerability Reserved
Apr 25, 2026

CVE-2026-42181 Data

JSON

Lemmynet

What is CVE-2026-42181?

Affected Version(s)

References

CVSS V3.1

Timeline