Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-pqhx-w72w-m393 | ntfy.sh allows a remote attacker to execute arbitrary code via the parseActions function |
Tue, 07 Jul 2026 22:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Server‑Side Request Forgery via Unanchored URL Validation in ntfy |
Mon, 06 Jul 2026 13:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | SSRF Vulnerability in ntfy Web Push Endpoint Parsing |
Mon, 06 Jul 2026 04:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | SSRF Vulnerability in ntfy Web Push Endpoint Parsing |
Sat, 04 Jul 2026 15:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | ntfy before 2.22.0 allows SSRF because of an unanchored regular expression. | ntfy before 2.22.0 allows SSRF because of an unanchored regular expression for web push endpoint URLs. |
| Weaknesses | CWE-777 | |
| References |
| |
| Metrics |
cvssV3_1
|
cvssV3_1
|
Mon, 04 May 2026 07:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Remote Code Execution via Action Parsing in Ntfy ntfy.sh |
Mon, 04 May 2026 05:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | An issue in Ntfy ntfy.sh before v.2.21 allows a remote attacker to execute arbitrary code via the parseActions function | ntfy before 2.22.0 allows SSRF because of an unanchored regular expression. |
| References |
|
Tue, 28 Apr 2026 21:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Remote Code Execution via Action Parsing in Ntfy ntfy.sh |
Tue, 28 Apr 2026 09:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Ntfy
Ntfy ntfy.sh |
|
| Vendors & Products |
Ntfy
Ntfy ntfy.sh |
Thu, 23 Apr 2026 19:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-94 | |
| Metrics |
cvssV3_1
|
Thu, 23 Apr 2026 15:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | An issue in Ntfy ntfy.sh before v.2.21 allows a remote attacker to execute arbitrary code via the parseActions function | |
| References |
|
Status: PUBLISHED
Assigner: mitre
Published:
Updated: 2026-07-05T16:16:27.697Z
Reserved: 2026-04-06T00:00:00.000Z
Link: CVE-2026-39087
Updated: 2026-04-23T18:58:08.343Z
Status : Awaiting Analysis
Published: 2026-04-23T16:16:25.063
Modified: 2026-06-17T10:41:50.797
Link: CVE-2026-39087
No data.
OpenCVE Enrichment
Updated: 2026-07-07T22:15:03Z
Github GHSA