External risk intelligence

Selfoss Loopback Request Handling Command Execution and Information Disclosure

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-50872

An unauthenticated remote attacker can exploit a vulnerability in the loopback request handling of a web-based RSS reader to execute arbitrary commands and obtain sensitive information by sending a crafted HTTP request. This issue is relevant if the software is used and exposed, as it could lead to unauthorized command

4Halo Surface Signal

Code Injection

External exposure likelihood

Halo Surface Signal score for CVE-2026-50872

Selfoss is a web-based RSS reader application designed to be deployed as a web service. Because it acts as a web-accessible platform for aggregating and reading feeds, it is commonly exposed as an internet-facing or network-accessible web application, making the vulnerable HTTP request handling component reachable in typical deployment scenarios.

PCI scan relevance

PCI Relevance for CVE-2026-50872

Yes

CVE-2026-50872 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability allows for arbitrary command execution and sensitive data exposure. Given its critical severity and network accessibility, it is relevant for PCI scan requirements.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

An unauthenticated remote attacker can exploit a vulnerability in a web-based RSS reader to execute commands and access sensitive information by sending a specially crafted HTTP request. This issue affects the loopback request handling component of the software. The main concern is confirming relevance and exposure.

  • Web-based RSS reader vulnerability allows remote code execution.
  • Important for leaders to know due to potential data exposure.
  • Verify if this software is used and if it is exposed.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by sending a specially crafted HTTP request to a selfoss instance accessible over the network. This request would target the loopback request handling component, potentially leading to the execution of arbitrary commands and the disclosure of sensitive information.

  • Network access required.
  • Vulnerable HTTP request handling.
  • Arbitrary code execution and data theft.

Live Threat

Current exploitation, exposure, and threat context

When supported by the advisory, an attacker could execute arbitrary commands and obtain sensitive information by sending a specially crafted HTTP request to the loopback request handling component.

  • System commands and sensitive information.
  • Crafted HTTP request to the component.
  • Unauthorized command execution and data access.

Operational Fix

Recommended remediation, mitigation, and detection steps

For Selfoss deployments, the platform team likely manages the core application, while infrastructure or cloud teams handle the underlying compute and network access. The first practical step is to locate all Selfoss instances, determine their exposure (internal vs. external), and identify the business criticality and accountable owner for each. Subsequently, a risk-based remediation plan should be developed, coordinating with the vendor if necessary.

  • Application owners are responsible for Selfoss.
  • Verify Selfoss instance exposure and criticality.
  • Plan risk-based remediation and vendor coordination.

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is fossar selfoss?

Selfoss is a web-based RSS reader application that aggregates news feeds and content into a centralized, searchable interface. Because it is designed to be hosted as a web service, it acts as a platform for users to manage their digital subscriptions, typically running on a server that processes web requests to fetch and display the latest information from various external sources.

What does CVE-2026-50872 mean?

This CVE identifies a security weakness classified as CWE-94, or Improper Control of Generation of Code. In the context of selfoss, it means the software fails to properly sanitize incoming data within its loopback request handling component. An attacker can manipulate this flaw to inject and execute their own unauthorized system commands or access private information that should remain protected.

How can an attacker trigger this vulnerability?

An attacker triggers the bug by sending a specifically crafted HTTP request to the vulnerable loopback component of the selfoss application. The vulnerability relies on the application incorrectly processing this request. Simply browsing the RSS feeds normally or using the application's standard interface for reading content will not trigger the flaw; it requires a malicious, malformed request intended to exploit the command execution path.

Is my selfoss instance at risk?

If your selfoss instance is reachable over the internet, it is at higher risk because the loopback component is accessible to remote attackers. Halo Surface Signal notes that since selfoss is typically deployed as a web-accessible platform, it is commonly exposed in ways that make this component reachable. Instances isolated within a secure, private network are generally less accessible to external threats, though still vulnerable to attackers already inside the network.

What should I do if I run selfoss?

Your first step is to create a complete inventory of all selfoss instances running in your environment. For each instance, confirm who owns the application and determine if it is exposed to the internet or restricted to internal users. Once you have a clear picture of your footprint and the business criticality of each deployment, work with your infrastructure teams to coordinate a risk-based remediation plan, which may include checking with the vendor for updates.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified