CVE-2026-57940
Received Received - Intake
Server-Side Request Forgery in HTMLy 3.1.1

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: MITRE

Description
HTMLy 3.1.1 contains a Server-Side Request Forgery (SSRF) vulnerability in the RSS feed import functionality. The function get_feed() in system/admin/admin.php passes user-supplied $feed_url directly to file_get_contents() without any validation. An authenticated attacker with administrative privileges can exploit this by entering a crafted URL (e.g., http://dnslog.example.com, file:///etc/passwd, or http://169.254.169.254 in cloud contexts) via Tools -> Import RSS. The server will then make a request to the attacker-controlled target.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-26
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-57940
EUVD
EUVD-2026-39660
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
danpros htmly 3.1.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-57940 is a Server-Side Request Forgery (SSRF) vulnerability found in HTMLy version 3.1.1. It occurs in the RSS feed import functionality where the function get_feed() in system/admin/admin.php takes a user-supplied URL and passes it directly to file_get_contents() without validating it. This means an authenticated attacker with administrative privileges can input a crafted URL, causing the server to make unintended requests to attacker-controlled or sensitive internal resources.

Impact Analysis

This vulnerability can allow an attacker with admin access to make the server perform arbitrary HTTP or file requests. This can lead to exposure of sensitive internal resources such as local files (e.g., /etc/passwd) or cloud metadata services (e.g., 169.254.169.254). It may also enable attackers to interact with internal network services that are not normally accessible externally, potentially leading to further compromise or data leakage.

Detection Guidance

This vulnerability can be detected by monitoring for unusual outbound HTTP requests originating from the server, especially requests to unexpected or attacker-controlled URLs such as external DNS logging services or internal IP addresses like 169.254.169.254.

You can also check the application logs for any usage of the RSS feed import functionality with suspicious URLs.

Suggested commands to detect exploitation attempts include:

  • Using tcpdump or similar tools to capture outbound HTTP requests: tcpdump -i eth0 -n dst port 80 or 443
  • Using curl or wget to test the RSS import endpoint with crafted URLs and observe server behavior.
  • Checking web server access logs for POST requests to the Tools -> Import RSS endpoint containing suspicious feed URLs.
Mitigation Strategies

Immediate mitigation steps include restricting access to the RSS feed import functionality to trusted administrators only and validating or sanitizing the feed URL input to prevent SSRF.

Additionally, you should consider disabling the RSS feed import feature temporarily until a patch or update is available.

Monitoring and blocking outbound requests to internal or suspicious IP addresses from the server can also reduce risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57940. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart