Security

Report a vulnerability

.github/SECURITY.md

Security Policy

Reporting a Vulnerability

Use Github's security advisory issue system.

Rate limit bypass via X-Forwarded-For header spoofing in actix-web ConnectionInfo
GHSA-2hrg-7x4g-9vpg published Jun 9, 2026 by Nutomic

Moderate
Stored XSS via markdown image alt-text in lemmy-ui html5-embed
GHSA-2g66-9fr3-ppwj published Jun 9, 2026 by Nutomic

Low
Login Endpoint User Enumeration via HTTP Response Code Differential
GHSA-xgg7-8hvq-8m65 published Jun 9, 2026 by Nutomic

Moderate
Multi-community `Update` has no actor authorization
GHSA-5qxq-g3f3-57p5 published May 19, 2026 by Nutomic

Low
Private community profile and moderators leak via federation HTTP
GHSA-9wj2-3cv5-cqrx published May 18, 2026 by Nutomic

Low
`CollectionAdd::Featured` does not check the post is in the community
GHSA-gwfj-h8r7-792v published Jun 9, 2026 by Nutomic

Low
Private community data exposed through community, saved, liked, and modlog API views
GHSA-95q8-x6r6-672m published Apr 29, 2026 by Nutomic

Low
Blocked users can edit private messages sent before the block
GHSA-46g9-847m-qf8r published Jun 9, 2026 by Nutomic

Low
Private Lemmy instances expose multi-community metadata without authentication
GHSA-jmxc-hhwx-gvv3 published Apr 29, 2026 by Nutomic

Low
Lower-ranked federated moderator can remove higher-ranked moderators
GHSA-xmpx-2j2f-c7g7 published Jun 9, 2026 by Nutomic

Moderate

Learn more about advisories related to LemmyNet/lemmy in the GitHub Advisory Database

⚡