CVE-2017-16896

critical

Published 2017-11-20 · Modified 2026-05-13

CVSS v3

9.8

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2

7.5

VIR risk

9.8

Description

A SQL injection in classes/handler/public.php in the forgotpass component of Tiny Tiny RSS 17.4 exists via the login parameter.

Exploit likelihood

97%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2017-16896

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://git.tt-rss.org/git/tt-rss/commit/2352c320c2ed34ec7df1ad22f0c55a1b26489815

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://discourse.tt-rss.org/t/sql-injection-in-forgotpass-fixed/669

OS	Version	Status	Fixed in
debian	bookworm	fixed	`17.4+git20180312+dfsg-1`
debian	bullseye	fixed	`17.4+git20180312+dfsg-1`
debian	sid	fixed	`17.4+git20180312+dfsg-1`

Vendor	Product	Versions	Fixed
tt-rss	tiny_tiny_rss	`17.4`

CWE-89

Verify integrity in audit chain (admin only). AS-IS.