Browse all 5 CVE security advisories affecting miniflux. AI-powered Chinese analysis, POCs, and references for each vulnerability.
Miniflux is a self-hosted RSS reader and feed aggregator designed for users seeking a lightweight, privacy-focused alternative to cloud-based services. Historically, it has been susceptible to various vulnerability classes including cross-site scripting (XSS), remote code execution (RCE), and privilege escalation, primarily stemming from improper input validation and authentication flaws. The project maintains an active security response, addressing issues promptly when disclosed. While no major public security incidents have been widely reported, the presence of five CVEs indicates a need for regular updates and careful configuration by users to mitigate potential risks in this open-source application.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2026-21885 | Miniflux Media Proxy SSRF via /proxy endpoint allows access to internal network resources — v2CWE-918 | 6.5 | Medium | 2026-01-08 |
| CVE-2025-67713 | Miniflux 2 has an Open Redirect via protocol-relative `redirect_url` — v2CWE-601 | 6.1AI | MediumAI | 2025-12-11 |
| CVE-2025-31483 | Stored XSS in Miniflux Media Proxy due to improper Content-Security-Policy configuration — v2CWE-79 | 6.1AI | MediumAI | 2025-04-03 |
| CVE-2023-27591 | Unauthenticated Miniflux user can bypass allowed networks check to obtain Prometheus metrics — v2CWE-1220 | 7.5 | High | 2023-03-17 |
| CVE-2023-27592 | Stored XSS in Miniflux when opening a broken image due to unescaped ServerError in proxy handler — v2CWE-79 | 4.8 | Medium | 2023-03-17 |
This page lists every published CVE security advisory associated with miniflux. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.