CVE-2026-39087

Description

An issue in Ntfy ntfy.sh before v.2.22.0 allows a remote attacker to execute arbitrary code via the parseActions function.

How to fix CVE-2026-39087

To remediate CVE-2026-39087, upgrade the affected package to a fixed version below.

• Go/heckel.io/ntfy/v2—upgrade to 2.22.0 or later

Is CVE-2026-39087 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 2.22.0

CVSS scores

References (6)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-39087
• PATCHgithub.com/binwiederhier/ntfy
• WEBntfy.com
• WEBntfysh.com
• WEBgist.github.com/MightyNawaf/5d41d6e8ead16e217f86b016002ecae5