CVE-2026-57940: CWE-918 Server-Side Request Forgery (SSRF) in danpros HTMLy
HTMLy 3.1.1 contains a Server-Side Request Forgery (SSRF) vulnerability in the RSS feed import functionality. The function get_feed() in system/admin/admin.php passes user-supplied $feed_url directly to file_get_contents() without any validation. An authenticated attacker with administrative privileges can exploit this by entering a crafted URL (e.g., http://dnslog.example.com, file:///etc/passwd, or http://169.254.169.254 in cloud contexts) via Tools -> Import RSS. The server will then make a request to the attacker-controlled target.
AI Analysis
Technical Summary
CVE-2026-57940 describes an SSRF vulnerability in HTMLy 3.1.1 where the get_feed() function in system/admin/admin.php uses user-supplied URLs directly in file_get_contents() without validation. This allows an authenticated attacker with administrative privileges to cause the server to make arbitrary HTTP or file requests by providing crafted URLs via the Tools -> Import RSS interface. The vulnerability is categorized under CWE-918. No official patch or remediation level is currently documented.
Potential Impact
An attacker with administrative access can cause the server to make arbitrary requests to internal or external resources, potentially exposing internal services or files accessible to the server. The CVSS score of 2.1 (low) reflects that exploitation requires high privileges (admin) and has limited impact on confidentiality, integrity, and availability. There are no known exploits in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict administrative access to trusted users only and avoid importing RSS feeds from untrusted sources. Monitor vendor communications for updates on official fixes.
CVE-2026-57940: CWE-918 Server-Side Request Forgery (SSRF) in danpros HTMLy
Description
HTMLy 3.1.1 contains a Server-Side Request Forgery (SSRF) vulnerability in the RSS feed import functionality. The function get_feed() in system/admin/admin.php passes user-supplied $feed_url directly to file_get_contents() without any validation. An authenticated attacker with administrative privileges can exploit this by entering a crafted URL (e.g., http://dnslog.example.com, file:///etc/passwd, or http://169.254.169.254 in cloud contexts) via Tools -> Import RSS. The server will then make a request to the attacker-controlled target.
CVSS v4.0
Score 2.1low
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-57940 describes an SSRF vulnerability in HTMLy 3.1.1 where the get_feed() function in system/admin/admin.php uses user-supplied URLs directly in file_get_contents() without validation. This allows an authenticated attacker with administrative privileges to cause the server to make arbitrary HTTP or file requests by providing crafted URLs via the Tools -> Import RSS interface. The vulnerability is categorized under CWE-918. No official patch or remediation level is currently documented.
Potential Impact
An attacker with administrative access can cause the server to make arbitrary requests to internal or external resources, potentially exposing internal services or files accessible to the server. The CVSS score of 2.1 (low) reflects that exploitation requires high privileges (admin) and has limited impact on confidentiality, integrity, and availability. There are no known exploits in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict administrative access to trusted users only and avoid importing RSS feeds from untrusted sources. Monitor vendor communications for updates on official fixes.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- mitre
- Date Reserved
- 2026-06-26T13:08:01.884Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a3e7d61cef61ccff96cd503
Added to database: 06/26/2026, 13:23:45 UTC
Last enriched: 06/26/2026, 13:53:32 UTC
Last updated: 06/26/2026, 14:09:42 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.