{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-56285", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-06-20T01:51:24.919Z", "datePublished": "2026-06-29T17:13:57.473Z", "dateUpdated": "2026-06-29T19:26:45.502Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-06-29T17:13:57.473Z"}, "title": "Nitter - Server-Side Request Forgery in /video Media Proxy Endpoint", "descriptions": [{"lang": "en", "value": "Nitter's /video media proxy endpoint fails to validate target URLs against Twitter/X domains and uses a hardcoded default HMAC key, allowing unauthenticated attackers to compute valid HMACs for arbitrary URLs. Attackers can retrieve HTTP responses from any host reachable by the server, including cloud metadata services and internal network resources."}], "tags": ["x_open-source"], "datePublic": "2026-06-13T00:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-918", "description": "Server-Side Request Forgery (SSRF)", "type": "CWE"}, {"lang": "en", "cweId": "CWE-1188", "description": "Initialization of a Resource with an Insecure Default", "type": "CWE"}]}], "affected": [{"vendor": "zedeus", "product": "nitter", "defaultStatus": "unaffected", "versions": [{"version": "0", "status": "affected", "versionType": "git", "lessThan": "44b2f096f67da2cc257a0e262a94a7ae79e95d47"}], "repo": "https://github.com/zedeus/nitter"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 7.7, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:H/SI:N/SA:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "version": "3.1", "baseSeverity": "HIGH", "baseScore": 8.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"}}], "references": [{"url": "https://github.com/zedeus/nitter/issues/1411", "name": "Researcher Disclosure", "tags": ["issue-tracking"]}, {"url": "https://github.com/zedeus/nitter/commit/44b2f096f67da2cc257a0e262a94a7ae79e95d47", "name": "Patch Commmit", "tags": ["patch"]}, {"url": "https://www.vulncheck.com/advisories/nitter-server-side-request-forgery-in-video-media-proxy-endpoint", "tags": ["third-party-advisory"]}], "credits": [{"lang": "en", "value": "George Chen", "type": "finder"}], "x_generator": {"engine": "vulncheck"}}, "adp": [{"references": [{"url": "https://github.com/zedeus/nitter/issues/1411", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-29T19:26:23.558914Z", "id": "CVE-2026-56285", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-29T19:26:45.502Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-56285", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-29T19:26:23.558914Z"}}}], "references": [{"url": "https://github.com/zedeus/nitter/issues/1411", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-29T19:26:40.637Z"}}], "cna": {"tags": ["x_open-source"], "title": "Nitter - Server-Side Request Forgery in /video Media Proxy Endpoint", "credits": [{"lang": "en", "type": "finder", "value": "George Chen"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:H/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/zedeus/nitter", "vendor": "zedeus", "product": "nitter", "versions": [{"status": "affected", "version": "0", "lessThan": "44b2f096f67da2cc257a0e262a94a7ae79e95d47", "versionType": "git"}], "defaultStatus": "unaffected"}], "datePublic": "2026-06-13T00:00:00.000Z", "references": [{"url": "https://github.com/zedeus/nitter/issues/1411", "name": "Researcher Disclosure", "tags": ["issue-tracking"]}, {"url": "https://github.com/zedeus/nitter/commit/44b2f096f67da2cc257a0e262a94a7ae79e95d47", "name": "Patch Commmit", "tags": ["patch"]}, {"url": "https://www.vulncheck.com/advisories/nitter-server-side-request-forgery-in-video-media-proxy-endpoint", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "vulncheck"}, "descriptions": [{"lang": "en", "value": "Nitter's /video media proxy endpoint fails to validate target URLs against Twitter/X domains and uses a hardcoded default HMAC key, allowing unauthenticated attackers to compute valid HMACs for arbitrary URLs. Attackers can retrieve HTTP responses from any host reachable by the server, including cloud metadata services and internal network resources."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "Server-Side Request Forgery (SSRF)"}, {"lang": "en", "type": "CWE", "cweId": "CWE-1188", "description": "Initialization of a Resource with an Insecure Default"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-06-29T17:13:57.473Z"}}}, "cveMetadata": {"cveId": "CVE-2026-56285", "state": "PUBLISHED", "dateUpdated": "2026-06-29T19:26:45.502Z", "dateReserved": "2026-06-20T01:51:24.919Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-06-29T17:13:57.473Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{}

{}

{"created": "2026-06-29T19:30:02.543253+00:00", "updated": "2026-06-29T19:30:02.543258+00:00", "vendors": []}