CVE-2026-42180

Name of the Vulnerable Software and Affected Versions Lemmy versions prior to 0.19.18

Description An authenticated low-privileged user can trigger server-side HTTP requests toward internal services. This occurs when a user creates a link post in a public community via the "POST /api/v3/post" endpoint. The backend asynchronously sends a Webmention to the target link, but the system fails to reject loopback, private, or link-local destinations. The url variable is validated for syntax and scheme using the is valid url() function, but it does not implement internal address rejection, allowing the application server to be used as a blind Server-Side Request Forgery (SSRF) primitive. SSRF is a flaw where an attacker can force a server to make requests to an unintended location, often bypassing network security controls to reach internal systems.

Recommendations Update to version 0.19.18.