ntfy before 2.22.0 allows SSRF because of an unanchored regular expression for web push endpoint URLs.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/39xxx/CVE-2026-39087.json",
"cna_assigner": "mitre",
"cwe_ids": [
"CWE-777"
]
}