Security: LemmyNet/lemmy
Security
.github/SECURITY.md
-
Multi-community `Update` has no actor authorizationGHSA-5qxq-g3f3-57p5 published
May 19, 2026 by NutomicLow -
Private community profile and moderators leak via federation HTTPGHSA-9wj2-3cv5-cqrx published
May 18, 2026 by NutomicModerate -
Private community data exposed through community, saved, liked, and modlog API viewsGHSA-95q8-x6r6-672m published
Apr 29, 2026 by NutomicModerate -
Private Lemmy instances expose multi-community metadata without authenticationGHSA-jmxc-hhwx-gvv3 published
Apr 29, 2026 by NutomicModerate -
Resend verification endpoint exposes registered email addressesGHSA-qxrw-f6fh-34r7 published
Apr 30, 2026 by NutomicLow -
SSRF in /api/v3/post via Webmention dispatchGHSA-3jvj-v6w2-h948 published
Apr 20, 2026 by NutomicModerate -
SSRF and internal image disclosure in post link metadata via unvalidated og:imageGHSA-h6hf-9846-xwrq published
Apr 20, 2026 by NutomicModerate -
Blind SSRF in /api/v3/resolve_object, normal user can reach internal services and make outbound requestsGHSA-c482-7gjx-pp36 published
Apr 13, 2026 by NutomicLow -
SSRF via 0.0.0.0 bypass in activitypub-federation-rust v4_is_invalid()GHSA-q537-8fr5-cw35 published
Mar 23, 2026 by NutomicModerate -
Unauthenticated SSRF via file_type query parameter injection in image endpointGHSA-jvxv-2jjp-jxc3 published
Mar 3, 2026 by NutomicModerate
Learn more about advisories related to LemmyNet/lemmy in the GitHub Advisory Database