SCA: security update for fastfeedparser (GHSA-4gx2-pc4f-wq37)

high Tenable Cloud Security Plugin ID 440000

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- FastFeedParser is a high performance RSS, Atom and RDF parser. Prior to 0.5.10, when parse() fetches a URL
that returns an HTML page containing a <meta http-equiv="refresh"> tag, it recursively calls itself with
the redirect URL — with no depth limit, no visited-URL deduplication, and no redirect count cap. An
attacker-controlled server that returns an infinite chain of HTML meta-refresh responses causes unbounded
recursion, exhausting the Python call stack and crashing the process. This vulnerability can also be
chained with the companion SSRF issue to reach internal network targets after bypassing the initial URL
check. This vulnerability is fixed in 0.5.10. (CVE-2026-39376)

Solution

Update the fastfeedparser library and its related packages to version 0.5.10 or later.

See Also

https://github.com/advisories/GHSA-4gx2-pc4f-wq37

Plugin Details

Severity: High

ID: 440000

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 4/8/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 94.39

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2026-39376

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 4/8/2026

Vulnerability Publication Date: 4/7/2026

Reference Information

CVE: CVE-2026-39376