CVE-2026-39376: CWE-674: Uncontrolled Recursion in kagisearch fastfeedparser
CVE-2026-39376 is a high-severity vulnerability in the fastfeedparser component of kagisearch versions prior to 0. 5. 10. The parser recursively follows HTML meta-refresh redirects without any limit on recursion depth, visited URL deduplication, or redirect count cap. This can lead to unbounded recursion, exhausting the Python call stack and causing the process to crash. The vulnerability can be combined with a server-side request forgery (SSRF) issue to target internal networks. The issue is fixed in version 0. 5. 10.
AI Analysis
Technical Summary
FastFeedParser, a high-performance RSS, Atom, and RDF parser, prior to version 0.5.10, recursively processes URLs containing HTML meta-refresh tags without limiting recursion depth or tracking visited URLs. This uncontrolled recursion (CWE-674) can cause a stack overflow and crash the process when an attacker-controlled server returns an infinite chain of meta-refresh redirects. The vulnerability has a CVSS 3.1 score of 7.5 (high severity) and can be chained with an SSRF vulnerability to reach internal network targets. The vulnerability is resolved in fastfeedparser version 0.5.10.
Potential Impact
Exploitation of this vulnerability results in denial of service by crashing the process due to stack exhaustion from uncontrolled recursion. There is no direct confidentiality or integrity impact described. However, when combined with a companion SSRF vulnerability, it may facilitate internal network access, increasing the attack surface.
Mitigation Recommendations
Upgrade fastfeedparser to version 0.5.10 or later, where this uncontrolled recursion issue is fixed. Patch status is confirmed by the vendor stating the fix is included in version 0.5.10. No additional mitigation is indicated.
CVE-2026-39376: CWE-674: Uncontrolled Recursion in kagisearch fastfeedparser
Description
CVE-2026-39376 is a high-severity vulnerability in the fastfeedparser component of kagisearch versions prior to 0. 5. 10. The parser recursively follows HTML meta-refresh redirects without any limit on recursion depth, visited URL deduplication, or redirect count cap. This can lead to unbounded recursion, exhausting the Python call stack and causing the process to crash. The vulnerability can be combined with a server-side request forgery (SSRF) issue to target internal networks. The issue is fixed in version 0. 5. 10.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
FastFeedParser, a high-performance RSS, Atom, and RDF parser, prior to version 0.5.10, recursively processes URLs containing HTML meta-refresh tags without limiting recursion depth or tracking visited URLs. This uncontrolled recursion (CWE-674) can cause a stack overflow and crash the process when an attacker-controlled server returns an infinite chain of meta-refresh redirects. The vulnerability has a CVSS 3.1 score of 7.5 (high severity) and can be chained with an SSRF vulnerability to reach internal network targets. The vulnerability is resolved in fastfeedparser version 0.5.10.
Potential Impact
Exploitation of this vulnerability results in denial of service by crashing the process due to stack exhaustion from uncontrolled recursion. There is no direct confidentiality or integrity impact described. However, when combined with a companion SSRF vulnerability, it may facilitate internal network access, increasing the attack surface.
Mitigation Recommendations
Upgrade fastfeedparser to version 0.5.10 or later, where this uncontrolled recursion issue is fixed. Patch status is confirmed by the vendor stating the fix is included in version 0.5.10. No additional mitigation is indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-06T21:29:17.350Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d56287aaed68159a58f981
Added to database: 4/7/2026, 8:01:11 PM
Last enriched: 4/15/2026, 12:37:00 PM
Last updated: 5/23/2026, 5:54:20 PM
Views: 57
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.