Description

FastFeedParser is a high performance RSS, Atom and RDF parser. Prior to 0.5.10, when parse() fetches a URL that returns an HTML page containing a <meta http-equiv="refresh"> tag, it recursively calls itself with the redirect URL — with no depth limit, no visited-URL deduplication, and no redirect count cap. An attacker-controlled server that returns an infinite chain of HTML meta-refresh responses causes unbounded recursion, exhausting the Python call stack and crashing the process. This vulnerability can also be chained with the companion SSRF issue to reach internal network targets after bypassing the initial URL check. This vulnerability is fixed in 0.5.10.

INFO

Published Date :

2026-04-07T19:46:08.816Z

Last Modified :

2026-04-08T19:22:49.417Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-39376 vulnerability.

Vendors Products
Kagi
  • Fastfeedparser
Kagisearch
  • Fastfeedparser
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-39376.

URL Resource
https://github.com/kagisearch/fastfeedparser/security/advisories/GHSA-4gx2-pc4f-wq37 cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact