Golang/Miniflux.app/V2 | GitLab Advisory Database

Miniflux Media Proxy vulnerable to Stored Cross-site Scripting due to improper Content-Security-Policy configuration

Due to a weak Content Security Policy on the /proxy/* route, an attacker can bypass the CSP of the media proxy and execute cross-site scripting when opening external images in a new tab/window.

Unauthenticated Miniflux user can bypass allowed networks check to obtain Prometheus metrics

An unauthenticated user can retrieve Prometheus metrics from a publicly reachable Miniflux instance where the METRICS_COLLECTOR configuration option is enabled and METRICS_ALLOWED_NETWORKS is set to 127.0.0.1/8 (the default).

Stored XSS in Miniflux when opening a broken image due to unescaped ServerError in proxy handler

Since v2.0.25, Miniflux will automatically proxy images served over HTTP to prevent mixed content errors.

Advisories for Golang/Miniflux.app/V2 package