CVE-2026-56285

Source
https://cve.org/CVERecord?id=CVE-2026-56285
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-56285.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-56285
Published
2026-06-29T17:13:57.473Z
Modified
2026-07-16T03:31:10.085065896Z
Severity
  • 7.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:H/SI:N/SA:N CVSS Calculator
Summary
Nitter - Server-Side Request Forgery in /video Media Proxy Endpoint
Details

Nitter's /video media proxy endpoint fails to validate target URLs against Twitter/X domains and uses a hardcoded default HMAC key, allowing unauthenticated attackers to compute valid HMACs for arbitrary URLs. Attackers can retrieve HTTP responses from any host reachable by the server, including cloud metadata services and internal network resources.

Database specific
{
    "cna_assigner": "VulnCheck",
    "cwe_ids": [
        "CWE-1188",
        "CWE-918"
    ],
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "fixed": "44b2f096f67da2cc257a0e262a94a7ae79e95d47"
                }
            ]
        }
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/56xxx/CVE-2026-56285.json"
}
References

Affected packages

Git / github.com/zedeus/nitter

Affected ranges

Type
GIT
Repo
https://github.com/zedeus/nitter
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": "REFERENCES"
}

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-56285.json"