Cyber Resilience

CVE-2026-39376

HighPublic PoCDDoS

Published: 07 April 2026

Published
07 April 2026
Modified
14 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0008 23.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-39376 is a high-severity Uncontrolled Recursion (CWE-674) vulnerability in Kagi Fastfeedparser. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 23.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-39376 is an unbounded recursion vulnerability (CWE-674) in FastFeedParser, a high-performance RSS, Atom, and RDF parser written in Python. In versions prior to 0.5.10, the parse() function fetches a provided URL and, if the response is an HTML page containing a <meta http-equiv="refresh"> tag, recursively invokes itself with the redirect URL. This recursion lacks depth limits, visited-URL deduplication, or redirect count caps, enabling stack exhaustion. The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Attackers can exploit this remotely over the network with low complexity and no privileges by controlling a server that responds with an infinite chain of HTML meta-refresh redirects. Any application using vulnerable FastFeedParser to parse untrusted feeds or URLs can be targeted, resulting in Python call stack exhaustion and process crash (denial of service). The flaw can also chain with a companion SSRF issue to bypass initial URL checks and reach internal network targets.

The vulnerability is addressed in FastFeedParser version 0.5.10. Additional details on the fix and affected versions are available in the GitHub security advisory at https://github.com/kagisearch/fastfeedparser/security/advisories/GHSA-4gx2-pc4f-wq37.

EU & UK References

Vulnerability details

FastFeedParser is a high performance RSS, Atom and RDF parser. Prior to 0.5.10, when parse() fetches a URL that returns an HTML page containing a <meta http-equiv="refresh"> tag, it recursively calls itself with the redirect URL — with no depth…

more

limit, no visited-URL deduplication, and no redirect count cap. An attacker-controlled server that returns an infinite chain of HTML meta-refresh responses causes unbounded recursion, exhausting the Python call stack and crashing the process. This vulnerability can also be chained with the companion SSRF issue to reach internal network targets after bypassing the initial URL check. This vulnerability is fixed in 0.5.10.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The unbounded recursion in URL parsing directly enables remote exploitation of the application to cause stack exhaustion and process crash, mapping to application or system exploitation for endpoint denial of service.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-34211Shared CWE-674
CVE-2026-32141Shared CWE-674
CVE-2026-44289Shared CWE-674
CVE-2026-32944Shared CWE-674
CVE-2025-70957Shared CWE-674
CVE-2026-32933Shared CWE-674
CVE-2024-8176Shared CWE-674
CVE-2026-33498Shared CWE-674
CVE-2026-42039Shared CWE-674
CVE-2026-6479Shared CWE-674

Affected Assets

kagi
fastfeedparser
≤ 0.5.10

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation requires updating FastFeedParser to version 0.5.10, which implements recursion depth limits, visited-URL deduplication, and redirect caps to directly prevent stack exhaustion.

prevent

Denial-of-service protection mechanisms limit resource consumption during recursive URL fetches, mitigating the unbounded recursion leading to process crashes.

prevent

Information input validation on URLs and HTML content detects and blocks malicious meta-refresh tags that trigger recursive parsing chains.

References