GHSA-vg32-rqh8-j8pmMediumCVSS 4.3

NewsBlur before 14.5.0 contains a broken access control vulnerability that allows authenticated...

Published
June 25, 2026
Last Modified
June 25, 2026

🔗 CVE IDs covered (1)

📋 Description

NewsBlur before 14.5.0 contains a broken access control vulnerability that allows authenticated users to read private notification feeds by supplying arbitrary user_id values to the GET /social/interactions endpoint without ownership verification. Attackers can enumerate user_id values to access another user's follows, replies, and social activity without authorization.

🔗 References (5)