Product Name: ntfy
Vulnerability: Stored Cross-Site Scripting(XSS)
Vulnerable Version: 2.22.0
In May 2026, security researchers at Astra identified a Stored Cross-Site Scripting (XSS) Vulnerability in the SVG attachment preview function of nfty, affecting versions up to 2.22.0.
Stored Cross-Site Scripting (XSS) is a vulnerability that allows attackers to inject and permanently execute malicious scripts within a web application. If exploited, the threat actor could perform actions on behalf of the victim.
Technical Breakdown
The vulnerability was discovered during a manual security review of the attachment-handling and preview functionality in nfty. This flaw allows threat actors to execute arbitrary code within the application context when another user previews or opens the uploaded attachment.
How was it discovered?
Our researcher discovered Stored XSS during manual security review of nfty’s attachment handling and preview functionality. When testing how uploaded files are rendered, it was observed that SVG files were served and previewed directly without any sanitization or content restrictions.
A specially crafted malicious SVG payload with embedded JavaScript was created via standard attachment features. Upon opening or previewing the file, the embedded JavaScript executed successfully within the application’s origin context, confirming a stored XSS vulnerability.
How to replicate the vulnerability
- Create an XML file with the embedded JavaScript and name it malicious.svg
- Go to the attachment upload feature and upload the malicious.SVG through normal workflow
- Trigger the XSS by navigating to the uploaded attachment and opening it using the preview or view feature.
- Now the embedded JavaScript will be executed automatically.
Note: The issue was consistently reproducible until the patch was introduced in commit 2911340.
Every fortnight our security engineers update DAST vulnerability scanner’s test cases. So we’re always one step ahead.
Impact of Stored XSS
The Stored XSS vulnerability in nfty (versions < 2.2.0) is particularly severe because it allows attackers to embed malicious JavaScript into SVG attachments that are persistently stored on the server.
Once a victim opens or previews the attachment, the payload executes automatically within the victim’s authenticated session and accesses internal APIs on the victim’s behalf.
The vulnerability could lead to
- Session hijacking and theft of authenticated session tokens.
- Sensitive data exfiltration.
- Potential compromise of administrator accounts if privileged users preview the malicious attachment.
- Execution of actions on behalf of the victim (account takeover).
Current Status
The issue was responsibly disclosed to the project maintainer. The maintainer acknowledged the report and fixed the vulnerability in commit 2911340. The issue can be tracked under GitHub Advisory GHSA-j8hr-p342-xrmh.
What Can You Do?
Users are strongly advised to update nfty to version 2.23.0 to mitigate this vulnerability. If it’s not possible due to compatibility issues, implement the following workarounds:
- Disable attachment previews
- Block SVG file uploads.
- Implement a strict CSP header that blocks script execution.
- Disable direct preview/open functionality for attachments.
Moreover, Astra Security helps you test for this vulnerability during a manual pentest.
