Banimontoya

**Name of the Vulnerable Software and Affected Versions** Nextcloud News versions prior to 28.3.0-beta.1 **Description** Nextcloud News, an RSS/Atom feed reader, allows authenticated users to add feeds via the web interface or API. An authenticated attacker can provide a URL pointing to localhost or internal/private IP ranges, triggering the server to perform server-side HTTP requests to those destinations without relaying the result. This leads to blind Server-Side Request Forgery (SSRF)—a flaw where a server is tricked into making requests to an unintended location—which can be used to scan or probe internal network services reachable from the server. **Recommendations** Update to version 28.3.0-beta.1.