CVE-2026-42181

Source
https://cve.org/CVERecord?id=CVE-2026-42181
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42181.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-42181
Aliases
Published
2026-05-08T19:26:07.763Z
Modified
2026-07-15T01:48:56.526560302Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Lemmy: SSRF and internal image disclosure in post link metadata via unvalidated og:image
Details

Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.19.18, Lemmy fetches metadata for user-supplied post URLs and, under the default StoreLinkPreviews image mode, downloads the preview image through local pict-rs. While the top-level page URL is checked against internal IP ranges, the extracted og:image URL is not subject to the same restriction. As a result, an authenticated low-privileged user can submit an attacker-controlled public page whose Open Graph image points to an internal image endpoint. Lemmy will fetch that internal image server-side and store a local thumbnail that can then be served back to users. This issue has been patched in version 0.19.18.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-918"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42181.json"
}
References

Affected packages

Git / github.com/lemmynet/lemmy

Affected ranges

Type
GIT
Repo
https://github.com/lemmynet/lemmy
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.19.18"
        }
    ]
}

Affected versions

0.*
0.10.0
0.10.0-rc.12
0.10.0-rc.13
0.10.0-rc.7
0.10.1
0.10.2
0.11.0
0.11.0-rc.1
0.11.1
0.11.2
0.11.3-rc.4
0.11.4-rc.16
0.12.0
0.12.0-rc.1
0.12.0-rc.2
0.13.0
0.13.0-rc.1
0.13.5-rc.7
0.13.6-rc.2
0.14.0
0.14.0-rc.1
0.14.0-rc.2
0.14.1
0.14.2
0.14.2-rc.1
0.14.3
0.15.0
0.15.0-rc.7
0.15.1
0.16.0
0.16.0-rc.1
0.16.0-rc.2
0.16.0-rc.3
0.16.0-rc.4
0.16.1
0.16.1-rc.1
0.16.2
0.16.2-rc.1
0.16.2-rc.2
0.16.2-rc.3
0.16.3
0.16.3-rc.1
0.16.5
0.17.0
0.17.0-rc.1
0.17.0-rc.3
0.17.0-rc.4
0.17.1
0.18.0
0.18.0-rc.1
0.18.0-rc.2
0.18.0-rc.3
0.18.0-rc.4
0.18.0-rc.5
0.18.0-rc.6
0.18.0-rc.8
0.18.1
0.18.1-rc.1
0.18.1-rc.10
0.18.1-rc.4
0.18.1-rc.9
0.18.4-beta.7
0.19.0
0.19.0-beta.7
0.19.0-rc.1
0.19.0-rc.10
0.19.0-rc.11
0.19.0-rc.12
0.19.0-rc.13
0.19.0-rc.14
0.19.0-rc.15
0.19.0-rc.16
0.19.0-rc.2
0.19.0-rc.3
0.19.0-rc.4
0.19.0-rc.5
0.19.0-rc.6
0.19.0-rc.7
0.19.0-rc.8
0.19.1-rc.1
0.19.1-rc.2
0.19.10
0.19.10-beta.0
0.19.10-beta.1
0.19.10-beta.2
0.19.11
0.19.11-beta.0
0.19.11-beta.1
0.19.11-beta.2
0.19.12
0.19.12-beta.0
0.19.12-beta.1
0.19.12-beta.10
0.19.12-beta.11
0.19.12-beta.12
0.19.12-beta.2
0.19.12-beta.3
0.19.12-beta.4
0.19.12-beta.5
0.19.12-beta.6
0.19.12-beta.7
0.19.12-beta.8
0.19.12-beta.9
0.19.13
0.19.13-beta.1
0.19.14
0.19.14-beta.0
0.19.14-beta.1
0.19.14-beta.2
0.19.15
0.19.15-beta.0
0.19.16
0.19.16-beta.0
0.19.16-beta.1
0.19.17
0.19.17-beta.0
0.19.18-beta.0
0.19.18-beta.1
0.19.18-beta.3
0.19.2
0.19.2-rc.1
0.19.2-rc.2
0.19.2-rc.4
0.19.2-rc.5
0.19.3
0.19.3-rc.1
0.19.4
0.19.4-beta.1
0.19.4-beta.3
0.19.4-beta.4
0.19.4-beta.5
0.19.4-beta.6
0.19.4-beta.7
0.19.4-beta.8
0.19.4-rc.1
0.19.4-rc.10
0.19.4-rc.11
0.19.4-rc.2
0.19.4-rc.3
0.19.4-rc.4
0.19.4-rc.5
0.19.4-rc.6
0.19.4-rc.7
0.19.4-rc.8
0.19.4-rc.9
0.19.5
0.19.5-alpha.1
0.19.5-alpha.2
0.19.5-alpha.3
0.19.6
0.19.6-beta.14
0.19.6-beta.15
0.19.6-beta.8
0.19.6-beta.9
0.19.7
0.19.7-beta.1
0.19.7-beta.2
0.19.8
0.19.8-beta.0
0.19.9
0.19.9-beta.0
0.19.9-beta.1
0.19.9-beta.2
0.19.9-beta.3
0.19.9-beta.4
0.9.0
0.9.1
0.9.2
0.9.3
0.9.4
0.9.5
0.9.6
0.9.7
0.9.8
0.9.9
v0.*
v0.0.7.4
v0.0.8.1
v0.0.8.2
v0.0.8.3
v0.4.0.3
v0.5.10
v0.7.17
v0.7.18
v0.7.19
v0.7.20
v0.7.21
v0.7.22
v0.7.23
v0.7.24
v0.7.25
v0.7.26
v0.7.28
v0.7.29
v0.7.3
v0.7.30
v0.7.31
v0.7.32
v0.7.33
v0.7.34
v0.7.35
v0.7.36
v0.7.37
v0.7.38
v0.7.39
v0.7.4
v0.7.40
v0.7.41
v0.7.42
v0.7.43
v0.7.44
v0.7.46
v0.7.47
v0.7.48
v0.7.49
v0.7.5
v0.7.50
v0.7.52
v0.7.53
v0.7.54
v0.7.55
v0.7.56
v0.7.57
v0.7.59
v0.7.6
v0.7.61
v0.7.62
v0.7.63
v0.7.64
v0.7.7
v0.7.8
v0.8.0
v0.8.1
v0.8.10
v0.8.3
v0.8.5
v0.8.6
v0.8.7
v0.8.8
v0.8.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42181.json"