In recent days, several instances of the Reddit alternative Lemmy were hacked due to a zero-day vulnerability that attackers exploited. The open source software, which facilitates self-hosted news aggregation and discussion forums, consists of interconnected servers run by different individuals and organizations. The attacker took advantage of a cross-site scripting (XSS) vulnerability related to custom emojis, leading to defaced pages on popular instances such as Lemmy.world. The compromise of user accounts through stolen authentication cookies allowed the attacker to access private messages and email addresses, redirecting users to objectionable content.

Read more: https://www.securityweek.com/hackers-target-reddit-alternative-lemmy-via-zero-day-vulnerability/