Security

Report a vulnerability

.github/SECURITY.md

Security Policy

Reporting a Vulnerability

Use Github's security advisory issue system.

SSRF via 0.0.0.0 bypass in activitypub-federation-rust v4_is_invalid()
GHSA-q537-8fr5-cw35 published Mar 23, 2026 by Nutomic

Moderate
Unauthenticated SSRF via file_type query parameter injection in image endpoint
GHSA-jvxv-2jjp-jxc3 published Mar 3, 2026 by Nutomic

Moderate
DB performance issues
GHSA-x57w-mr53-3f5h published Jun 24, 2025 by Nutomic

Low
Local users can delete arbitrary entries from the local_image table
GHSA-373q-r73m-8mrg published Jun 19, 2025 by Nutomic

Moderate
Local users can delete arbitrary pict-rs media
GHSA-7xwp-jqhc-v6vw published Jun 19, 2025 by Nutomic

Moderate
Purging users or communities or banning users can delete images they didn't upload/exclusively use
GHSA-wr2m-38xh-rpc9 published Apr 8, 2025 by dessalines

Moderate
Server-Side Request Forgery (SSRF) in activitypub_federation
GHSA-7723-35v7-qcxw published Feb 10, 2025 by dessalines

Moderate
Any authenticated user may obtain private message details from other users on the same instance
GHSA-r64r-5h43-26qv published Jan 24, 2024 by dessalines

High

Learn more about advisories related to LemmyNet/lemmy in the GitHub Advisory Database