Description
HTMLy 3.1.1 contains a Server-Side Request Forgery (SSRF) vulnerability in the RSS feed import functionality. The function get_feed() in system/admin/admin.php passes user-supplied $feed_url directly to file_get_contents() without any validation. An authenticated attacker with administrative privileges can exploit this by entering a crafted URL (e.g., http://dnslog.example.com, file:///etc/passwd, or http://169.254.169.254 in cloud contexts) via Tools -> Import RSS. The server will then make a request to the attacker-controlled target.
Published: 2026-06-26
Score: 2.1 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authenticated administrator can cause the HTMLy server to fetch arbitrary content by entering a crafted URL into the RSS feed import tool. The supplied address is passed directly to file_get_contents without validation, enabling the server to request internal cloud metadata, local files, or external resources. This can expose sensitive information or facilitate further attacks within the network. The weakness is classified as CWE‑918.

Affected Systems

The affected product is HTMLy version 3.1.1 from the vendor danpros. Only installations of this version that expose the admin import RSS functionality are impacted.

Risk and Exploitability

The CVSS score is 2.1, indicating low severity. The EPSS score is not available, and the vulnerability is not listed in CISA's KEV catalog, suggesting low to moderate exploitation likelihood. Exploitation requires authentication with administrative privileges, so the attack surface is limited to users who have access to the admin panel. If credentials are compromised or the administration interface is broadly accessible, the SSRF can be used to exfiltrate data or perform internal reconnaissance.

Generated by OpenCVE AI on June 26, 2026 at 15:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update HTMLy to a patched version (or upgrade to a newer release) that sanitises the $feed_url before passing it to file_get_contents
  • Change the admin configuration to disable the RSS feed import feature if it is not required, or restrict the URL whitelist to only trusted domains
  • Implement outbound network controls, such as firewall rules or a proxy, that block or log unexpected HTTP, HTTPS, or file protocol requests originating from the web server

Generated by OpenCVE AI on June 26, 2026 at 15:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Danpros
Danpros htmly
Vendors & Products Danpros
Danpros htmly

Fri, 26 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Title Authenticated SSRF via RSS Feed Import in HTMLy 3.1.1 Authenticated SSRF via RSS Feed Import in HTMLy 3.1.1

Fri, 26 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Title Authenticated SSRF via RSS Feed Import in HTMLy 3.1.1
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
Description HTMLy 3.1.1 contains a Server-Side Request Forgery (SSRF) vulnerability in the RSS feed import functionality. The function get_feed() in system/admin/admin.php passes user-supplied $feed_url directly to file_get_contents() without any validation. An authenticated attacker with administrative privileges can exploit this by entering a crafted URL (e.g., http://dnslog.example.com/ , file:///etc/passwd, or http://169.254.169.254 in cloud contexts) via Tools -> Import RSS. The server will then make a request to the attacker-controlled target. HTMLy 3.1.1 contains a Server-Side Request Forgery (SSRF) vulnerability in the RSS feed import functionality. The function get_feed() in system/admin/admin.php passes user-supplied $feed_url directly to file_get_contents() without any validation. An authenticated attacker with administrative privileges can exploit this by entering a crafted URL (e.g., http://dnslog.example.com, file:///etc/passwd, or http://169.254.169.254 in cloud contexts) via Tools -> Import RSS. The server will then make a request to the attacker-controlled target.

Fri, 26 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description HTMLy 3.1.1 contains a Server-Side Request Forgery (SSRF) vulnerability in the RSS feed import functionality. The function get_feed() in system/admin/admin.php passes user-supplied $feed_url directly to file_get_contents() without any validation. An authenticated attacker with administrative privileges can exploit this by entering a crafted URL (e.g., http://dnslog.example.com/ , file:///etc/passwd, or http://169.254.169.254 in cloud contexts) via Tools -> Import RSS. The server will then make a request to the attacker-controlled target.
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/AU:N/R:A/V:D/RE:L/U:Clear'}

Subscriptions

Danpros Htmly
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-26T13:25:52.575Z

Reserved: 2026-06-26T13:08:01.884Z

Link: CVE-2026-57940

cve-icon Vulnrichment

Updated: 2026-06-26T13:25:49.283Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T18:30:05Z

Weaknesses
  • CWE-918

    Server-Side Request Forgery (SSRF)