CVE-2026-50872
Deferred Deferred - Pending Action

Command Injection in Selfoss RSS Reader

Vulnerability report for CVE-2026-50872, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-15

Last updated on: 2026-06-16

Assigner: MITRE

Description

An issue in the loopback request handling component of fossar selfoss v2.20-SNAPSHOT allows attackers to execute arbitrary commands and obtain sensitive information via supplying a crafted HTTP request.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-15
Last Modified
2026-06-16
Generated
2026-07-06
AI Q&A
2026-06-16
EPSS Evaluated
2026-07-04
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
fossar selfoss 2.20

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability in fossar selfoss v2.20-SNAPSHOT allows attackers to execute arbitrary commands and obtain sensitive information by exploiting improper handling of loopback requests and forwarding headers.

This unauthorized access and potential data exposure could lead to non-compliance with common standards and regulations such as GDPR and HIPAA, which require protection of sensitive information and prevention of unauthorized access.

Specifically, the ability for an attacker to create privileged sources and perform server-side request forgery (SSRF) may result in exposure of personal or protected health information, violating confidentiality and data protection requirements.

Impact Analysis

This vulnerability can have serious impacts including unauthorized creation of privileged sources within the application and the ability to fetch arbitrary internal or external URLs.

Attackers can exploit this to execute arbitrary commands on the server and obtain sensitive information, potentially leading to data breaches, system compromise, and unauthorized access to internal network resources.

Executive Summary

CVE-2026-50872 is a vulnerability in the loopback request handling component of fossar selfoss version 2.20-SNAPSHOT. It occurs when the application is deployed behind a same-host reverse proxy that does not properly preserve forwarding headers such as X-Forwarded-For or Forwarded.

Because of this misconfiguration, the application mistakenly trusts external requests as if they originate from the local loopback address (127.0.0.1). This trust allows unauthenticated attackers to send crafted HTTP POST requests to the /source endpoint with an empty title and a malicious feed URL.

As a result, attackers can create privileged sources and trigger server-side URL fetches, effectively enabling Server-Side Request Forgery (SSRF). This means attackers can execute arbitrary commands and obtain sensitive information by exploiting the application's incorrect trust in the request origin.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious POST requests to the /source endpoint with an empty title and a malicious feed URL, especially if these requests appear to originate from a loopback address (127.0.0.1) due to missing or improperly set forwarding headers like X-Forwarded-For or Forwarded.

You can use network monitoring or web server logs to identify such requests. For example, using command-line tools like curl or tcpdump to simulate or capture suspicious traffic might help.

  • Use curl to test the endpoint: curl -X POST -d 'title=&feed_url=http://malicious.example.com' http://your-selfoss-instance/source -v
  • Check web server logs for POST requests to /source with empty titles and unusual feed URLs.
  • Use tcpdump or Wireshark to capture HTTP traffic and filter for POST requests to /source.
Mitigation Strategies

Immediate mitigation steps include ensuring that your reverse proxy correctly preserves forwarding headers such as X-Forwarded-For or Forwarded, so that the application does not mistakenly trust external requests as originating from the loopback address.

Additionally, restrict or validate incoming requests to the /source endpoint to prevent unauthenticated creation of privileged sources.

If possible, update or patch the selfoss application to a version that addresses this vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50872. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart