CVE-2026-39376

Name of the Vulnerable Software and Affected Versions FastFeedParser versions prior to 0.5.10

Description FastFeedParser, a high-performance RSS, Atom, and RDF parser, is susceptible to a denial-of-service issue. When the parse() function fetches a URL that redirects via an HTML <meta http-equiv="refresh"> tag, it can enter an infinite recursion loop if the redirect chain is unbounded. This occurs due to a lack of depth limiting, visited URL deduplication, and redirect count capping. An attacker controlling the server can exhaust the Python call stack, leading to a process crash. This issue can also be combined with a Server-Side Request Forgery (SSRF) issue to access internal network targets.

Recommendations Update to FastFeedParser version 0.5.10 or later.