PT-2026-56703 · Undefined · Undefined

0Xbassia

·

Published

2026-07-09

·

Updated

2026-07-09

·

CVE-2026-12517

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
The Fediverse Embeds WordPress plugin before 1.5.8 does not validate the destination of the server-side request performed by an unauthenticated site-info endpoint before fetching it, allowing anonymous users (the gating nonce is exposed on public pages carrying an embed) to make the site request internal and private-network URLs and read back the parsed page metadata. This is a Server-Side Request Forgery.

Exploit

Found an issue in the description? Have something to add? Feel free to write us 👾

Related Identifiers

CVE-2026-12517

Affected Products

Undefined