CVE-2026-21885

Name of the Vulnerable Software and Affected Versions Miniflux versions prior to 2.2.16

Description Miniflux is an open source feed reader. Prior to version 2.2.16, the media proxy endpoint, GET /proxy/{encodedDigest}/{encodedURL}, can be exploited to perform Server-Side Request Forgery (SSRF). An authenticated user can manipulate Miniflux to create a signed proxy URL for media URLs specified by the attacker within feed entry content. These URLs can include internal addresses, such as localhost, private RFC1918 ranges, or link-local metadata endpoints. Accessing the generated /proxy/... URL causes Miniflux to retrieve and return the response from the internal address.

Recommendations Upgrade to Miniflux version 2.2.16 or later.