Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-h4jg-4h7m-auaz
Vulnerability ID VCID-h4jg-4h7m-auaz
Aliases CVE-2026-39376
GHSA-4gx2-pc4f-wq37
PYSEC-2026-60
Summary FastFeedParser is a high performance RSS, Atom and RDF parser. Prior to 0.5.10, when parse() fetches a URL that returns an HTML page containing a <meta http-equiv="refresh"> tag, it recursively calls itself with the redirect URL — with no depth limit, no visited-URL deduplication, and no redirect count cap. An attacker-controlled server that returns an infinite chain of HTML meta-refresh responses causes unbounded recursion, exhausting the Python call stack and crashing the process. This vulnerability can also be chained with the companion SSRF issue to reach internal network targets after bypassing the initial URL check. This vulnerability is fixed in 0.5.10.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-674 Uncontrolled Recursion
CWE-400 Uncontrolled Resource Consumption
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00077 https://api.first.org/data/v1/epss?cve=CVE-2026-39376
epss 0.00077 https://api.first.org/data/v1/epss?cve=CVE-2026-39376
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-4gx2-pc4f-wq37
cvssv3.1 7.5 https://github.com/kagisearch/fastfeedparser
generic_textual HIGH https://github.com/kagisearch/fastfeedparser
cvssv3.1 7.5 https://github.com/kagisearch/fastfeedparser/security/advisories/GHSA-4gx2-pc4f-wq37
cvssv3.1_qr HIGH https://github.com/kagisearch/fastfeedparser/security/advisories/GHSA-4gx2-pc4f-wq37
generic_textual HIGH https://github.com/kagisearch/fastfeedparser/security/advisories/GHSA-4gx2-pc4f-wq37
ssvc Track https://github.com/kagisearch/fastfeedparser/security/advisories/GHSA-4gx2-pc4f-wq37
cvssv3.1 7.5 https://github.com/pypa/advisory-database/tree/main/vulns/fastfeedparser/PYSEC-2026-60.yaml
generic_textual HIGH https://github.com/pypa/advisory-database/tree/main/vulns/fastfeedparser/PYSEC-2026-60.yaml
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2026-39376
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2026-39376
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-39376
https://github.com/kagisearch/fastfeedparser
https://github.com/pypa/advisory-database/tree/main/vulns/fastfeedparser/PYSEC-2026-60.yaml
https://nvd.nist.gov/vuln/detail/CVE-2026-39376
GHSA-4gx2-pc4f-wq37 https://github.com/advisories/GHSA-4gx2-pc4f-wq37
GHSA-4gx2-pc4f-wq37 https://github.com/kagisearch/fastfeedparser/security/advisories/GHSA-4gx2-pc4f-wq37
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/kagisearch/fastfeedparser
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/kagisearch/fastfeedparser/security/advisories/GHSA-4gx2-pc4f-wq37
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-08T19:17:44Z/ Found at https://github.com/kagisearch/fastfeedparser/security/advisories/GHSA-4gx2-pc4f-wq37
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/pypa/advisory-database/tree/main/vulns/fastfeedparser/PYSEC-2026-60.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2026-39376
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.2317
EPSS Score 0.00077
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T16:46:04.771959+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2026/39xxx/CVE-2026-39376.json 38.6.0