Loading market data...
← Back to CVE feed

CVE-2026-56285

HIGH CVSS 8.6 View on NVD ↗

Description

Nitter's /video media proxy endpoint fails to validate target URLs against Twitter/X domains and uses a hardcoded default HMAC key, allowing unauthenticated attackers to compute valid HMACs for arbitrary URLs. Attackers can retrieve HTTP responses from any host reachable by the server, including cloud metadata services and internal network resources.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Published: Jun 29, 2026 18:16 UTC Modified: Jun 29, 2026 20:17 UTC