CVE-2026-39087

Critical

Published: 23 April 2026

Published

23 April 2026

Modified

24 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0032 55.4th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

Security Summary

CVE-2026-39087, published on 2026-04-23, is a critical vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) affecting Ntfy, specifically the ntfy.sh server before version 2.21. The issue resides in the parseActions function, enabling a remote attacker to execute arbitrary code, classified under CWE-94 (Code Injection).

Any remote attacker can exploit this vulnerability over the network with low attack complexity, requiring no privileges or user interaction. Successful exploitation allows full arbitrary code execution on the targeted Ntfy server, resulting in high impacts to confidentiality, integrity, and availability.

Advisories recommend updating to Ntfy version 2.21 or later to mitigate the vulnerability. Additional details are available in the references: http://ntfy.com, http://ntfysh.com, and https://gist.github.com/MightyNawaf/5d41d6e8ead16e217f86b016002ecae5.

Details

CWE(s): CWE-94

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability allows unauthenticated remote code execution on a public-facing Ntfy.sh server via code injection, directly mapping to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

http://ntfy.com
cve@mitre.org
http://ntfysh.com
cve@mitre.org
https://gist.github.com/MightyNawaf/5d41d6e8ead16e217f86b016002ecae5
cve@mitre.org