{"@context":"https://openvex.dev/ns/v0.2.0","@id":"https://database.harborguard.co/cve/CVE-2026-50131/vex.json","author":"HarborGuard Database","role":"Document Creator","timestamp":"2026-06-11T14:16:17.350Z","version":1,"tooling":"HarborGuard Database (https://database.harborguard.co)","statements":[{"vulnerability":{"name":"CVE-2026-50131","@id":"https://www.cve.org/CVERecord?id=CVE-2026-50131","description":"Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Fedify previously addressed SSRF/internal network access in GHSA-p9cg-vqcc-grcx by adding public URL validation before runtime document and media fetching. However, the IPv4 validation logic present starting in version 0.11.2 and prior to versions 1.9.12, 1.10.11, 2.0.19, 2.1.15, and 2.2.4 appears incomplete. The `validatePublicUrl()` protection relies on `isValidPublicIPv4Address()` to reject non-public IP"},"products":[{"@id":"cpe:2.3:a:fedify-dev:fedify:*:*:*:*:*:*:*:*","identifiers":{"cpe23":"cpe:2.3:a:fedify-dev:fedify:*:*:*:*:*:*:*:*"}},{"@id":"cpe:2.3:a:fedify-dev:vocab-runtime:*:*:*:*:*:*:*:*","identifiers":{"cpe23":"cpe:2.3:a:fedify-dev:vocab-runtime:*:*:*:*:*:*:*:*"}}],"status":"affected","action_statement":"No fixed version is published yet; monitor the upstream advisory.","timestamp":"2026-06-11T14:16:17.350Z"}]}