Launch Week Day 1: Announcing Security Design Review

ntfy.sh allows a remote attacker to execute arbitrary code via the parseActions function

GHSA-pqhx-w72w-m393 · CVE-2026-39087

Published Apr 23, 2026 · Modified May 8, 2026

Description

An issue in Ntfy ntfy.sh before v.2.22.0 allows a remote attacker to execute arbitrary code via the parseActions function.

References

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes