CVE-2026-56771

medium

Description

NewsBlur before version 14.5.0 contains a server-side request forgery vulnerability in the add_url endpoint that allows authenticated users to make arbitrary server requests to internal networks by failing to filter private IP addresses. Attackers can exploit this to access localhost services and cloud metadata endpoints, enabling internal network scanning and sensitive data exfiltration.

References

https://www.vulncheck.com/advisories/newsblur-server-side-request-forgery-via-add-url-endpoint

https://github.com/samuelclay/NewsBlur/releases/tag/Android_14.5.0

https://github.com/samuelclay/NewsBlur/commit/af742daeca7cc6c8b0d58cbea381e7bc44daa520

https://github.com/samuelclay/NewsBlur/commit/2e6c6812c94f35a731bda864de5aef39f18307f1

Details

Source: Mitre, NVD

Published: 2026-06-25

Updated: 2026-06-26

Risk Information

CVSS v2

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:C/A:N

Severity: High

CVSS v3

Base Score: 8.5

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N

Severity: High

CVSS v4

Base Score: 6.3

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:N/SA:N

Severity: Medium