Mei23

**Name of the Vulnerable Software and Affected Versions** Misskey versions prior to 12.90.0 **Description** A Server-Side Request Forgery issue exists in the "Upload from URL" and remote attachment handling features of Misskey, potentially leading to the disclosure of non-public information within the internal network. This issue can be mitigated by restricting access to private networks from the host where the application is running. **Recommendations** For versions prior to 12.90.0, update to version 12.90.0 to resolve the issue. If a proxy is in use, additional measures will be necessary. As a temporary workaround, consider restricting access to private networks from the host where the application is running to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Misskey versions prior to 12.51.0 **Description** Misskey is a decentralized microblogging platform. In versions prior to 12.51.0, malicious actors can use the web client built-in dialog to display a malicious string, leading to cross-site scripting (XSS). XSS could compromise the API request token. **Recommendations** For versions prior to 12.51.0, upgrade to version 12.51.0 to resolve the issue. As a temporary workaround, consider restricting access to the web client built-in dialog until the upgrade is applied.