CVE-2026-57575 is a Server-Side Request Forgery (SSRF) vulnerability in Misskey's URL preview functionality. The issue allows a remote attacker to cause the Misskey server to initiate HTTP requests to loopback, private, or link-local services due to missing network restrictions before establishing outbound connections. However, no sensitive internal data is believed to be transmitted back or exposed to th [truncated]
CVE-2026-57574 is a HIGH-severity vulnerability in Misskey's Time-based One-Time Password (TOTP) authentication. The issue allows the reuse of a single-use TOTP code within its valid time step if both credentials and the TOTP code are obtained concurrently. This could lead to unauthorized actions, potentially resulting in account takeover. The vulnerability is fixed in Misskey version 2026.6.0. The vulner [truncated]