| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-pqhx-w72w-m393 | ntfy.sh allows a remote attacker to execute arbitrary code via the parseActions function |
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
Tue, 14 Jul 2026 22:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | SSRF Vulnerability in ntfy Due to Unanchored Endpoint URL Validation |
Sat, 11 Jul 2026 04:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | SSRF via Unanchored Regular Expression in ntfy before v2.22.0 |
Thu, 09 Jul 2026 15:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | SSRF via Unanchored Regular Expression in ntfy before v2.22.0 |
Thu, 09 Jul 2026 03:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Server‑Side Request Forgery via Unanchored URL Validation in ntfy |
Tue, 07 Jul 2026 22:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Server‑Side Request Forgery via Unanchored URL Validation in ntfy |
Mon, 06 Jul 2026 13:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | SSRF Vulnerability in ntfy Web Push Endpoint Parsing |
Mon, 06 Jul 2026 04:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | SSRF Vulnerability in ntfy Web Push Endpoint Parsing |
Sat, 04 Jul 2026 15:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | ntfy before 2.22.0 allows SSRF because of an unanchored regular expression. | ntfy before 2.22.0 allows SSRF because of an unanchored regular expression for web push endpoint URLs. |
| Weaknesses | CWE-777 | |
| References |
| |
| Metrics |
cvssV3_1
|
cvssV3_1
|
Mon, 04 May 2026 07:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Remote Code Execution via Action Parsing in Ntfy ntfy.sh |
Mon, 04 May 2026 05:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | An issue in Ntfy ntfy.sh before v.2.21 allows a remote attacker to execute arbitrary code via the parseActions function | ntfy before 2.22.0 allows SSRF because of an unanchored regular expression. |
| References |
|
Tue, 28 Apr 2026 21:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Remote Code Execution via Action Parsing in Ntfy ntfy.sh |
Tue, 28 Apr 2026 09:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Ntfy
Ntfy ntfy.sh |
|
| Vendors & Products |
Ntfy
Ntfy ntfy.sh |
Thu, 23 Apr 2026 19:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-94 | |
| Metrics |
cvssV3_1
|
Thu, 23 Apr 2026 15:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | An issue in Ntfy ntfy.sh before v.2.21 allows a remote attacker to execute arbitrary code via the parseActions function | |
| References |
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: mitre
Published:
Updated: 2026-07-05T16:16:27.697Z
Reserved: 2026-04-06T00:00:00.000Z
Link: CVE-2026-39087
Updated: 2026-04-23T18:58:08.343Z
Status : Awaiting Analysis
Published: 2026-04-23T16:16:25.063
Modified: 2026-06-17T10:41:50.797
Link: CVE-2026-39087
No data.
OpenCVE Enrichment
Updated: 2026-07-14T21:45:16Z
Github GHSA