Miniflux
Products
2- 5 CVEs
- 1 CVE
Recent CVEs
6| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-27591 | Hig | 0.42 | 7.5 | 0.01 | Mar 17, 2023 | Miniflux is a feed reader. Prior to version 2.0.43, an unauthenticated user can retrieve Prometheus metrics from a publicly reachable Miniflux instance where the `METRICS_COLLECTOR` configuration option is enabled and `METRICS_ALLOWED_NETWORKS` is set to `127.0.0.1/8` (the… | ||
| CVE-2025-31483 | Med | 0.24 | — | 0.00 | Apr 3, 2025 | Miniflux is a feed reader. Due to a weak Content Security Policy on the /proxy/* route, an attacker can bypass the CSP of the media proxy and execute cross-site scripting when opening external images in a new tab/window. To mitigate the vulnerability, the CSP for the media proxy… | ||
| CVE-2023-27592 | Med | 0.24 | 4.8 | 0.01 | Mar 17, 2023 | Miniflux is a feed reader. Since v2.0.25, Miniflux will automatically proxy images served over HTTP to prevent mixed content errors. When an outbound request made by the Go HTTP client fails, the `html.ServerError` is returned unescaped without the expected Content Security… | ||
| CVE-2026-55185 | 0.00 | — | — | Jun 19, 2026 | ### Summary The URL restrictions in `miniflux-v2` can be bypassed by attackers, leading to an open redirect vulnerability. ### Details Normally, the redirect URL needs to be validated using `IsRelativePath`. <img width="1728" height="1386" alt="QQ20260526-175356-26-1"… | |||
| CVE-2026-21885 | 0.00 | — | 0.00 | Jan 8, 2026 | Miniflux 2 is an open source feed reader. Prior to version 2.2.16, Miniflux's media proxy endpoint (`GET /proxy/{encodedDigest}/{encodedURL}`) can be abused to perform Server-Side Request Forgery (SSRF). An authenticated user can cause Miniflux to generate a signed proxy URL for… | |||
| CVE-2025-67713 | 0.00 | — | 0.00 | Dec 11, 2025 | Miniflux 2 is an open source feed reader. Versions 2.2.14 and below treat redirect_url as safe when url.Parse(...).IsAbs() is false, enabling phishing flows after login. Protocol-relative URLs like //ikotaslabs.com have an empty scheme and pass that check, allowing post-login… |
- risk 0.42cvss 7.5epss 0.01
Miniflux is a feed reader. Prior to version 2.0.43, an unauthenticated user can retrieve Prometheus metrics from a publicly reachable Miniflux instance where the `METRICS_COLLECTOR` configuration option is enabled and `METRICS_ALLOWED_NETWORKS` is set to `127.0.0.1/8` (the…
- risk 0.24cvss —epss 0.00
Miniflux is a feed reader. Due to a weak Content Security Policy on the /proxy/* route, an attacker can bypass the CSP of the media proxy and execute cross-site scripting when opening external images in a new tab/window. To mitigate the vulnerability, the CSP for the media proxy…
- risk 0.24cvss 4.8epss 0.01
Miniflux is a feed reader. Since v2.0.25, Miniflux will automatically proxy images served over HTTP to prevent mixed content errors. When an outbound request made by the Go HTTP client fails, the `html.ServerError` is returned unescaped without the expected Content Security…
- CVE-2026-55185Jun 19, 2026risk 0.00cvss —epss —
### Summary The URL restrictions in `miniflux-v2` can be bypassed by attackers, leading to an open redirect vulnerability. ### Details Normally, the redirect URL needs to be validated using `IsRelativePath`. <img width="1728" height="1386" alt="QQ20260526-175356-26-1"…
- CVE-2026-21885Jan 8, 2026risk 0.00cvss —epss 0.00
Miniflux 2 is an open source feed reader. Prior to version 2.2.16, Miniflux's media proxy endpoint (`GET /proxy/{encodedDigest}/{encodedURL}`) can be abused to perform Server-Side Request Forgery (SSRF). An authenticated user can cause Miniflux to generate a signed proxy URL for…
- CVE-2025-67713Dec 11, 2025risk 0.00cvss —epss 0.00
Miniflux 2 is an open source feed reader. Versions 2.2.14 and below treat redirect_url as safe when url.Parse(...).IsAbs() is false, enabling phishing flows after login. Protocol-relative URLs like //ikotaslabs.com have an empty scheme and pass that check, allowing post-login…