Go modules package
miniflux.app/v2
pkg:golang/miniflux.app/v2
Vulnerabilities (5)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-21885 | — | < 2.2.16 | 2.2.16 | Jan 8, 2026 | Miniflux 2 is an open source feed reader. Prior to version 2.2.16, Miniflux's media proxy endpoint (`GET /proxy/{encodedDigest}/{encodedURL}`) can be abused to perform Server-Side Request Forgery (SSRF). An authenticated user can cause Miniflux to generate a signed proxy URL for | ||
| CVE-2025-67713 | — | < 2.2.15 | 2.2.15 | Dec 11, 2025 | Miniflux 2 is an open source feed reader. Versions 2.2.14 and below treat redirect_url as safe when url.Parse(...).IsAbs() is false, enabling phishing flows after login. Protocol-relative URLs like //ikotaslabs.com have an empty scheme and pass that check, allowing post-login red | ||
| CVE-2025-31483 | Med | — | < 2.2.7 | 2.2.7 | Apr 3, 2025 | Miniflux is a feed reader. Due to a weak Content Security Policy on the /proxy/* route, an attacker can bypass the CSP of the media proxy and execute cross-site scripting when opening external images in a new tab/window. To mitigate the vulnerability, the CSP for the media proxy | |
| CVE-2023-27592 | Med | 4.8 | >= 2.0.25, < 2.0.43 | 2.0.43 | Mar 17, 2023 | Miniflux is a feed reader. Since v2.0.25, Miniflux will automatically proxy images served over HTTP to prevent mixed content errors. When an outbound request made by the Go HTTP client fails, the `html.ServerError` is returned unescaped without the expected Content Security Pol | |
| CVE-2023-27591 | Hig | 7.5 | < 2.0.43 | 2.0.43 | Mar 17, 2023 | Miniflux is a feed reader. Prior to version 2.0.43, an unauthenticated user can retrieve Prometheus metrics from a publicly reachable Miniflux instance where the `METRICS_COLLECTOR` configuration option is enabled and `METRICS_ALLOWED_NETWORKS` is set to `127.0.0.1/8` (the defaul |
- CVE-2026-21885Jan 8, 2026affected < 2.2.16fixed 2.2.16
Miniflux 2 is an open source feed reader. Prior to version 2.2.16, Miniflux's media proxy endpoint (`GET /proxy/{encodedDigest}/{encodedURL}`) can be abused to perform Server-Side Request Forgery (SSRF). An authenticated user can cause Miniflux to generate a signed proxy URL for
- CVE-2025-67713Dec 11, 2025affected < 2.2.15fixed 2.2.15
Miniflux 2 is an open source feed reader. Versions 2.2.14 and below treat redirect_url as safe when url.Parse(...).IsAbs() is false, enabling phishing flows after login. Protocol-relative URLs like //ikotaslabs.com have an empty scheme and pass that check, allowing post-login red
- affected < 2.2.7fixed 2.2.7
Miniflux is a feed reader. Due to a weak Content Security Policy on the /proxy/* route, an attacker can bypass the CSP of the media proxy and execute cross-site scripting when opening external images in a new tab/window. To mitigate the vulnerability, the CSP for the media proxy
- affected >= 2.0.25, < 2.0.43fixed 2.0.43
Miniflux is a feed reader. Since v2.0.25, Miniflux will automatically proxy images served over HTTP to prevent mixed content errors. When an outbound request made by the Go HTTP client fails, the `html.ServerError` is returned unescaped without the expected Content Security Pol
- affected < 2.0.43fixed 2.0.43
Miniflux is a feed reader. Prior to version 2.0.43, an unauthenticated user can retrieve Prometheus metrics from a publicly reachable Miniflux instance where the `METRICS_COLLECTOR` configuration option is enabled and `METRICS_ALLOWED_NETWORKS` is set to `127.0.0.1/8` (the defaul