CVE-2026-39087: ntfy.sh allows a remote attacker to execute arbitrary code via the parseActions function

Severity: Critical

CVSS Score: 9.8

ntfy before 2.22.0 allows SSRF because of an unanchored regular expression.