<?xml version='1.0' encoding='UTF-8'?>
<?xml-stylesheet href="/static/style.xsl" type="text/xsl"?>
<feed xmlns="http://www.w3.org/2005/Atom" xml:lang="en">
  <id>https://vulnerability.circl.lu/sightings/feed</id>
  <title>Most recent sightings.</title>
  <updated>2026-07-16T02:26:50.738439+00:00</updated>
  <author>
    <name>Vulnerability-Lookup</name>
    <email>info@circl.lu</email>
  </author>
  <link href="https://vulnerability.circl.lu" rel="alternate"/>
  <generator uri="https://lkiesow.github.io/python-feedgen" version="1.0.0">python-feedgen</generator>
  <subtitle>Contains only the most 10 recent sightings.</subtitle>
  <entry>
    <id>https://vulnerability.circl.lu/sighting/4dc6325f-934f-4edc-8755-e6d59b6f6be6/export</id>
    <title>4dc6325f-934f-4edc-8755-e6d59b6f6be6</title>
    <updated>2026-07-16T02:26:50.759152+00:00</updated>
    <author>
      <name>Automation user</name>
      <uri>https://cvepremium.circl.lu/user/automation</uri>
    </author>
    <content>{"uuid": "4dc6325f-934f-4edc-8755-e6d59b6f6be6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-50130", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mqngxrbyxq2l", "content": "CVE-2026-50130 - Pi-hole: Local privilege escalation from `pihole` user to root via `/etc/pihole/logrotate`\nCVE ID : CVE-2026-50130\n \n Published : July 14, 2026, 10:17 p.m. | 1\u00a0hour, 14\u00a0minutes ago\n \n Description : Pi-hole is a DNS sinkhole that protects devices from unwanted ...", "creation_timestamp": "2026-07-15T00:16:18.410178Z"}</content>
    <link href="https://vulnerability.circl.lu/sighting/4dc6325f-934f-4edc-8755-e6d59b6f6be6/export"/>
    <published>2026-07-15T00:16:18.410178+00:00</published>
  </entry>
  <entry>
    <id>https://vulnerability.circl.lu/sighting/09319407-5ebc-42d0-98b3-6049afc4e9b6/export</id>
    <title>09319407-5ebc-42d0-98b3-6049afc4e9b6</title>
    <updated>2026-07-16T02:26:50.761218+00:00</updated>
    <author>
      <name>Automation user</name>
      <uri>https://cvepremium.circl.lu/user/automation</uri>
    </author>
    <content>{"uuid": "09319407-5ebc-42d0-98b3-6049afc4e9b6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-50131", "type": "published-proof-of-concept", "source": "https://t.me/GithubRedTeam/92590", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #SSRF #CVE\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a CVE-2026-50131\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a chaitanyagarware\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a Unknown\n\u2b50 Star\u6570\u91cf\uff1a 1  |  \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-07-09 00:49:56\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\nCVE-2026-50131 / GHSA-xw9q-2mv6-9fr8: Fedify incomplete SSRF mitigation advisory landing page\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-07-15T00:00:33.549080Z"}</content>
    <link href="https://vulnerability.circl.lu/sighting/09319407-5ebc-42d0-98b3-6049afc4e9b6/export"/>
    <published>2026-07-15T00:00:33.549080+00:00</published>
  </entry>
  <entry>
    <id>https://vulnerability.circl.lu/sighting/70e593bd-3209-400a-9f99-42c4d81313e1/export</id>
    <title>70e593bd-3209-400a-9f99-42c4d81313e1</title>
    <updated>2026-07-16T02:26:50.761395+00:00</updated>
    <author>
      <name>Automation user</name>
      <uri>https://cvepremium.circl.lu/user/automation</uri>
    </author>
    <content>{"uuid": "70e593bd-3209-400a-9f99-42c4d81313e1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-50130", "type": "seen", "source": "https://bsky.app/profile/thehackerwire.bsky.social/post/3mqncqrzxsk2a", "content": "\ud83d\udfe0 CVE-2026-50130 - High (8.8)\n\nPi-hole is a DNS sinkhole that protects devices from unwanted content without installing any clie...\n\nhttps://www.thehackerwire.com/vulnerability/CVE-2026-50130/\n\n#infosec #cybersecurity #CVE #vulnerability #security #patchstack", "creation_timestamp": "2026-07-14T23:00:49.765279Z"}</content>
    <link href="https://vulnerability.circl.lu/sighting/70e593bd-3209-400a-9f99-42c4d81313e1/export"/>
    <published>2026-07-14T23:00:49.765279+00:00</published>
  </entry>
  <entry>
    <id>https://vulnerability.circl.lu/sighting/159d5e3c-0070-4270-b221-99cf5b212c0b/export</id>
    <title>159d5e3c-0070-4270-b221-99cf5b212c0b</title>
    <updated>2026-07-16T02:26:50.761530+00:00</updated>
    <author>
      <name>Joseph Lee</name>
      <uri>https://cvepremium.circl.lu/user/syspect</uri>
    </author>
    <content>{"uuid": "159d5e3c-0070-4270-b221-99cf5b212c0b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-50131", "type": "published-proof-of-concept", "source": "https://github.com/fedify-dev/fedify/security/advisories/GHSA-xw9q-2mv6-9fr8", "content": "", "creation_timestamp": "2026-07-14T20:35:06.885669Z"}</content>
    <link href="https://vulnerability.circl.lu/sighting/159d5e3c-0070-4270-b221-99cf5b212c0b/export"/>
    <published>2026-07-14T20:35:06.885669+00:00</published>
  </entry>
  <entry>
    <id>https://vulnerability.circl.lu/sighting/ec8085dc-12e4-4f52-b649-9decf74ef82c/export</id>
    <title>ec8085dc-12e4-4f52-b649-9decf74ef82c</title>
    <updated>2026-07-16T02:26:50.762713+00:00</updated>
    <author>
      <name>Automation user</name>
      <uri>https://cvepremium.circl.lu/user/automation</uri>
    </author>
    <content>{"uuid": "ec8085dc-12e4-4f52-b649-9decf74ef82c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-50131", "type": "seen", "source": "https://gist.github.com/alon710/8c969173ef01652db3c3dd0115519a9e", "content": "# CVE-2026-50131: CVE-2026-50131: Server-Side Request Forgery Validation Bypass in Fedify\n\n&amp;gt; **CVSS Score:** 8.6\n&amp;gt; **Published:** 2026-07-14\n&amp;gt; **Full Report:** https://cvereports.com/reports/CVE-2026-50131\n\n## Summary\nFedify, a TypeScript framework for ActivityPub servers, implemented incomplete public URL validation inside the @fedify/fedify and @fedify/vocab-runtime libraries. The validator only blocked basic RFC 1918 networks, standard loopbacks, and link-local addresses, failing to restrict Carrier-Grade NAT (CGNAT), benchmarking, reserved, or IPv6 transition addresses. Consequently, unauthenticated remote attackers can bypass SSRF filters to access sensitive internal microservices and endpoints.\n\n## TL;DR\nIncomplete IP validation in Fedify enables unauthenticated remote attackers to bypass SSRF protections and access internal services by using CGNAT, benchmarking, and IPv6 transition IP addresses.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-918\n- **Attack Vector**: Network (AV:N)\n- **CVSS Score**: 8.6\n- **EPSS Score**: 0.00269 (0.269%)\n- **Impact**: High Confidentiality, Low Integrity, Low Availability\n- **Exploit Status**: Proof-of-Concept\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- Fedify\n- @fedify/fedify\n- @fedify/vocab-runtime\n- **@fedify/fedify**: &amp;gt;= 0.11.2, &amp;lt; 1.9.12 (Fixed in: `1.9.12`)\n- **@fedify/fedify**: &amp;gt;= 1.10.0, &amp;lt; 1.10.11 (Fixed in: `1.10.11`)\n- **@fedify/fedify**: &amp;gt;= 2.0.0, &amp;lt; 2.0.19 (Fixed in: `2.0.19`)\n- **@fedify/fedify**: &amp;gt;= 2.1.0, &amp;lt; 2.1.15 (Fixed in: `2.1.15`)\n- **@fedify/fedify**: &amp;gt;= 2.2.0, &amp;lt; 2.2.4 (Fixed in: `2.2.4`)\n- **@fedify/vocab-runtime**: &amp;lt; 2.0.19 (Fixed in: `2.0.19`)\n- **@fedify/vocab-runtime**: &amp;gt;= 2.1.0, &amp;lt; 2.1.15 (Fixed in: `2.1.15`)\n- **@fedify/vocab-runtime**: &amp;gt;= 2.2.0, &amp;lt; 2.2.4 (Fixed in: `2.2.4`)\n\n## Mitigation\n\n- Upgrade Fedify and Vocab-Runtime packages immediately\n- Enforce network-level egress blocking for private subnets\n- Pin HTTP requests strictly to validated IP addresses to prevent DNS rebinding\n\n**Remediation Steps:**\n1. Audit the current codebase dependencies using package-lock.json or pnpm-lock.yaml for vulnerable versions of @fedify/fedify (&amp;lt; 1.9.12, &amp;lt; 1.10.11, &amp;lt; 2.0.19, &amp;lt; 2.1.15, &amp;lt; 2.2.4).\n2. Update the dependency configuration to specify secure, patched versions.\n3. Deploy the updated software to production servers.\n4. Configure network edge routers and container configurations to drop outbound traffic originating from application servers directed to private or CGNAT addresses.\n\n## References\n\n- [GitHub Security Advisory GHSA-xw9q-2mv6-9fr8](https://github.com/fedify-dev/fedify/security/advisories/GHSA-xw9q-2mv6-9fr8)\n- [GitHub Repository - CVE-2026-50131 Analysis and PoC Index](https://github.com/chaitanyagarware/CVE-2026-50131)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-50131) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-07-14T18:41:49.908541Z"}</content>
    <link href="https://vulnerability.circl.lu/sighting/ec8085dc-12e4-4f52-b649-9decf74ef82c/export"/>
    <published>2026-07-14T18:41:49.908541+00:00</published>
  </entry>
  <entry>
    <id>https://vulnerability.circl.lu/sighting/3a25fe72-d760-44b5-a43d-1cb2afb9af5b/export</id>
    <title>3a25fe72-d760-44b5-a43d-1cb2afb9af5b</title>
    <updated>2026-07-16T02:26:50.762899+00:00</updated>
    <author>
      <name>Automation user</name>
      <uri>https://cvepremium.circl.lu/user/automation</uri>
    </author>
    <content>{"uuid": "3a25fe72-d760-44b5-a43d-1cb2afb9af5b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-50131", "type": "seen", "source": "https://t.me/GithubRedTeam/92590", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #SSRF #CVE\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a CVE-2026-50131\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a chaitanyagarware\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a Unknown\n\u2b50 Star\u6570\u91cf\uff1a 1  |  \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-07-09 00:49:56\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\nCVE-2026-50131 / GHSA-xw9q-2mv6-9fr8: Fedify incomplete SSRF mitigation advisory landing page\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-07-14T01:00:11.006272Z"}</content>
    <link href="https://vulnerability.circl.lu/sighting/3a25fe72-d760-44b5-a43d-1cb2afb9af5b/export"/>
    <published>2026-07-14T01:00:11.006272+00:00</published>
  </entry>
  <entry>
    <id>https://vulnerability.circl.lu/sighting/a2da1b9c-1ccf-41dd-aa2f-e2db9afbac1b/export</id>
    <title>a2da1b9c-1ccf-41dd-aa2f-e2db9afbac1b</title>
    <updated>2026-07-16T02:26:50.763035+00:00</updated>
    <author>
      <name>Automation user</name>
      <uri>https://cvepremium.circl.lu/user/automation</uri>
    </author>
    <content>{"uuid": "a2da1b9c-1ccf-41dd-aa2f-e2db9afbac1b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-50131", "type": "seen", "source": "https://t.me/GithubRedTeam/92590", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #SSRF #CVE\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a CVE-2026-50131\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a chaitanyagarware\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a Unknown\n\u2b50 Star\u6570\u91cf\uff1a 1  |  \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-07-09 00:49:56\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\nCVE-2026-50131 / GHSA-xw9q-2mv6-9fr8: Fedify incomplete SSRF mitigation advisory landing page\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-07-13T22:00:06.716575Z"}</content>
    <link href="https://vulnerability.circl.lu/sighting/a2da1b9c-1ccf-41dd-aa2f-e2db9afbac1b/export"/>
    <published>2026-07-13T22:00:06.716575+00:00</published>
  </entry>
  <entry>
    <id>https://vulnerability.circl.lu/sighting/01382349-fcfc-4cd2-8b7b-f89c66a4fa8a/export</id>
    <title>01382349-fcfc-4cd2-8b7b-f89c66a4fa8a</title>
    <updated>2026-07-16T02:26:50.763145+00:00</updated>
    <author>
      <name>Automation user</name>
      <uri>https://cvepremium.circl.lu/user/automation</uri>
    </author>
    <content>{"uuid": "01382349-fcfc-4cd2-8b7b-f89c66a4fa8a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-50134", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mpyw6hcang24", "content": "CVE-2026-50134 - Hugo: security.http.urls allow-list bypass via HTTP redirects\nCVE ID : CVE-2026-50134\n \n Published : July 6, 2026, 7:42 p.m. | 5\u00a0minutes ago\n \n Description : Hugo is a static site generator. From 0.91.0 until 0.162.0, resources.GetRemote enforces security.http...", "creation_timestamp": "2026-07-06T20:22:34.527942Z"}</content>
    <link href="https://vulnerability.circl.lu/sighting/01382349-fcfc-4cd2-8b7b-f89c66a4fa8a/export"/>
    <published>2026-07-06T20:22:34.527942+00:00</published>
  </entry>
  <entry>
    <id>https://vulnerability.circl.lu/sighting/c15fa9d9-69eb-4e7b-acb0-6b1e3e6461e8/export</id>
    <title>c15fa9d9-69eb-4e7b-acb0-6b1e3e6461e8</title>
    <updated>2026-07-16T02:26:50.763249+00:00</updated>
    <author>
      <name>Automation user</name>
      <uri>https://cvepremium.circl.lu/user/automation</uri>
    </author>
    <content>{"uuid": "c15fa9d9-69eb-4e7b-acb0-6b1e3e6461e8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-50133", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mpyunv5kaz2v", "content": "CVE-2026-50133 - Hugo: XSS via text/html content files\nCVE ID : CVE-2026-50133\n \n Published : July 6, 2026, 7:31 p.m. | 16\u00a0minutes ago\n \n Description : Hugo is a static site generator. Prior to 0.162.0, Hugo accepts content files in several markup formats. Files mapped to the ...", "creation_timestamp": "2026-07-06T19:55:29.867197Z"}</content>
    <link href="https://vulnerability.circl.lu/sighting/c15fa9d9-69eb-4e7b-acb0-6b1e3e6461e8/export"/>
    <published>2026-07-06T19:55:29.867197+00:00</published>
  </entry>
  <entry>
    <id>https://vulnerability.circl.lu/sighting/af1dc67f-fad7-4d0e-848b-0dacdf35dd30/export</id>
    <title>af1dc67f-fad7-4d0e-848b-0dacdf35dd30</title>
    <updated>2026-07-16T02:26:50.763349+00:00</updated>
    <author>
      <name>Joseph Lee</name>
      <uri>https://cvepremium.circl.lu/user/syspect</uri>
    </author>
    <content>{"uuid": "af1dc67f-fad7-4d0e-848b-0dacdf35dd30", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-50138", "type": "published-proof-of-concept", "source": "https://github.com/goshs-labs/goshs/security/advisories/GHSA-3whc-qvhv-xqjp", "content": "", "creation_timestamp": "2026-07-01T22:35:05.171691Z"}</content>
    <link href="https://vulnerability.circl.lu/sighting/af1dc67f-fad7-4d0e-848b-0dacdf35dd30/export"/>
    <published>2026-07-01T22:35:05.171691+00:00</published>
  </entry>
</feed>
