{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39376", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-06T21:29:17.350Z", "datePublished": "2026-04-07T19:46:08.816Z", "dateUpdated": "2026-04-08T19:22:49.417Z"}, "containers": {"cna": {"title": "FastFeedParser has an infinite redirect loop DoS via meta-refresh chain", "problemTypes": [{"descriptions": [{"cweId": "CWE-674", "lang": "en", "description": "CWE-674: Uncontrolled Recursion", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/kagisearch/fastfeedparser/security/advisories/GHSA-4gx2-pc4f-wq37", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/kagisearch/fastfeedparser/security/advisories/GHSA-4gx2-pc4f-wq37"}], "affected": [{"vendor": "kagisearch", "product": "fastfeedparser", "versions": [{"version": "< 0.5.10", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T19:46:08.816Z"}, "descriptions": [{"lang": "en", "value": "FastFeedParser is a high performance RSS, Atom and RDF parser. Prior to 0.5.10, when parse() fetches a URL that returns an HTML page containing a <meta http-equiv=\"refresh\"> tag, it recursively calls itself with the redirect URL \u2014 with no depth limit, no visited-URL deduplication, and no redirect count cap. An attacker-controlled server that returns an infinite chain of HTML meta-refresh responses causes unbounded recursion, exhausting the Python call stack and crashing the process. This vulnerability can also be chained with the companion SSRF issue to reach internal network targets after bypassing the initial URL check. This vulnerability is fixed in 0.5.10."}], "source": {"advisory": "GHSA-4gx2-pc4f-wq37", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/kagisearch/fastfeedparser/security/advisories/GHSA-4gx2-pc4f-wq37", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T19:17:44.454321Z", "id": "CVE-2026-39376", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T19:22:49.417Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39376", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T19:17:44.454321Z"}}}], "references": [{"url": "https://github.com/kagisearch/fastfeedparser/security/advisories/GHSA-4gx2-pc4f-wq37", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T19:17:58.606Z"}}], "cna": {"title": "FastFeedParser has an infinite redirect loop DoS via meta-refresh chain", "source": {"advisory": "GHSA-4gx2-pc4f-wq37", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "kagisearch", "product": "fastfeedparser", "versions": [{"status": "affected", "version": "< 0.5.10"}]}], "references": [{"url": "https://github.com/kagisearch/fastfeedparser/security/advisories/GHSA-4gx2-pc4f-wq37", "name": "https://github.com/kagisearch/fastfeedparser/security/advisories/GHSA-4gx2-pc4f-wq37", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "FastFeedParser is a high performance RSS, Atom and RDF parser. Prior to 0.5.10, when parse() fetches a URL that returns an HTML page containing a <meta http-equiv=\"refresh\"> tag, it recursively calls itself with the redirect URL \u2014 with no depth limit, no visited-URL deduplication, and no redirect count cap. An attacker-controlled server that returns an infinite chain of HTML meta-refresh responses causes unbounded recursion, exhausting the Python call stack and crashing the process. This vulnerability can also be chained with the companion SSRF issue to reach internal network targets after bypassing the initial URL check. This vulnerability is fixed in 0.5.10."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-674", "description": "CWE-674: Uncontrolled Recursion"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T19:46:08.816Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39376", "state": "PUBLISHED", "dateUpdated": "2026-04-08T19:22:49.417Z", "dateReserved": "2026-04-06T21:29:17.350Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-07T19:46:08.816Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "FastFeedParser is a high performance RSS, Atom and RDF parser. Prior to 0.5.10, when parse() fetches a URL that returns an HTML page containing a <meta http-equiv=\"refresh\"> tag, it recursively calls itself with the redirect URL \u2014 with no depth limit, no visited-URL deduplication, and no redirect count cap. An attacker-controlled server that returns an infinite chain of HTML meta-refresh responses causes unbounded recursion, exhausting the Python call stack and crashing the process. This vulnerability can also be chained with the companion SSRF issue to reach internal network targets after bypassing the initial URL check. This vulnerability is fixed in 0.5.10."}], "id": "CVE-2026-39376", "lastModified": "2026-04-08T21:27:00.663", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-07T20:16:32.450", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/kagisearch/fastfeedparser/security/advisories/GHSA-4gx2-pc4f-wq37"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/kagisearch/fastfeedparser/security/advisories/GHSA-4gx2-pc4f-wq37"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-674"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.5.10)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "fastfeedparser", "source": "cna", "vendor": "kagisearch"}, "product": "fastfeedparser", "vendor": "kagisearch"}], "analysis": {"en": {"generated_at": "2026-04-07T22:18:24.711105+00:00", "value": {"mitigation_remediation": ["Upgrade to fastfeedparser 0.5.10 or later, which limits redirect depth and removes meta\u2011refresh recursion.", "If an upgrade cannot be performed immediately, restrict the URLs that applications pass to parse() to a whitelist of trusted domains, preventing malicious URLs from being processed.", "If URL whitelisting is not possible, consider patching the library to impose a reasonable redirect limit or use a custom wrapper that terminates recursion after a safe depth."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the kagisearch:fastfeedparser library for all releases before 0.5.10. No specific operating system or platform is mentioned; the issue is in the parser code itself. Users that incorporate fastfeedparser in their applications, particularly those that process untrusted URLs, are potentially exposed.", "description_and_impact": "FastFeedParser is a high\u2011performance RSS, Atom and RDF parser. In versions before 0.5.10 the parse() method follows HTTP redirects delivered by <meta http\u2011equiv=\"refresh\"> tags without any depth limit or visited\u2011URL tracking. An attacker that controls a server can return an infinite chain of meta\u2011refresh responses. The parser then recurses unboundedly, exhausting the Python call stack and crashing the process. Because the parser accepts any URL, the same chain can be combined with the SSRF flaw in the companion issue to reach internal network destinations after bypassing the URL check.", "risk_and_exploitability": "The issue carries a CVSS score of 7.5, indicating a high severity level. No EPSS value is provided, and it is not listed in CISA\u2019s KEV catalog, so the public exploitation likelihood has not been quantified. However, the attacker only needs to supply a malicious URL; the library will attempt to fetch it, making the risk high for systems that call parse() on user\u2011supplied data. If the attacker also exploits the SSRF side channel, internal resources become reachable, raising the potential impact."}}}}, "created": "2026-04-08T19:34:36.278995+00:00", "updated": "2026-04-08T19:46:08.275465+00:00", "vendors": ["kagisearch", "kagisearch$PRODUCT$fastfeedparser"]}