PatchSiren

misskey-dev CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM misskey-dev CVE published 2026-07-10

CVE-2026-57575

CVE-2026-57575 is a Server-Side Request Forgery (SSRF) vulnerability in Misskey's URL preview functionality. The issue allows a remote attacker to cause the Misskey server to initiate HTTP requests to loopback, private, or link-local services due to missing network restrictions before establishing outbound connections. However, no sensitive internal data is believed to be transmitted back or exposed to th [truncated]

HIGH misskey-dev CVE published 2026-07-10

CVE-2026-57574

CVE-2026-57574 is a HIGH-severity vulnerability in Misskey's Time-based One-Time Password (TOTP) authentication. The issue allows the reuse of a single-use TOTP code within its valid time step if both credentials and the TOTP code are obtained concurrently. This could lead to unauthorized actions, potentially resulting in account takeover. The vulnerability is fixed in Misskey version 2026.6.0. The vulner [truncated]