Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-39087 -- CVSS 9.8 Vulnerability Briefing

CVE-2026-39087 | CVSS 9.8 (Critical) | Exploit: No known exploit

What Is It

CVE-2026-39087 is a critical remote code execution vulnerability in Ntfy (ntfy.sh), an open-source push notification service, affecting all versions prior to v2.21, specifically within the application's parseActions function.

Technical Detail

The flaw resides in the parseActions function, which processes user-supplied input without adequate validation or sanitization, allowing a remote unauthenticated attacker to supply maliciously crafted data that results in arbitrary code execution on the server. The exact mechanism has not been fully disclosed publicly, but the attack surface is network-accessible and requires no prior authentication, consistent with the CVSS 9.8 critical score. Successful exploitation would grant an attacker the ability to execute arbitrary commands in the context of the Ntfy server process, potentially leading to full system compromise, data exfiltration, or use of the host as a pivot point.

Exploitation Status

No known exploit code has been observed or confirmed in the wild as of April 30, 2026. This vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog. Exploit maturity is assessed as no known exploit at this time, though the critical severity and unauthenticated remote attack vector make this a high-priority target for future exploitation development.

Who Is Targeting This

No specific threat actor attribution at this time. Given the nature of the vulnerability and the broad deployment of Ntfy in self-hosted and enterprise notification infrastructure, opportunistic threat actors scanning for unpatched instances represent the most likely near-term risk profile.

What To Do

Upgrade all Ntfy installations to version 2.21 or later immediately. Given the critical CVSS score of 9.8 and the unauthenticated remote code execution potential, patching should be treated as urgent regardless of current exploitation status. If immediate patching is not possible, restrict network access to Ntfy instances using firewall rules or reverse proxy authentication controls to limit exposure to trusted sources only. Operators should audit Ntfy server logs for anomalous or malformed action payloads as a detection signal. Monitor the CISA KEV catalog and vendor security advisories for updates on exploitation activity.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →