Unrated severityNVD Advisory· Published Feb 9, 2026· Updated Feb 10, 2026

Hollo DMs get leaked and can be seen on Webfinger Browser

CVE-2026-25808

Description

Hollo is a federated single-user microblogging software designed to be federated through ActivityPub. Prior to 0.6.20 and 0.7.2, there is a security vulnerability where DMs and followers-only posts were exposed through the ActivityPub outbox endpoint without authorization. This vulnerability is fixed in 0.6.20 and 0.7.2.

Affected products

Fedify Dev/Hollollm-fuzzy
Range: < 0.6.20 || < 0.7.2
fedify-dev/hollov5
Range: < 0.6.20, 0.7.2

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/fedify-dev/hollo/commit/329969c502ef092d5c3f9c2c20421c34f4ff0f0emitrex_refsource_MISC
github.com/fedify-dev/hollo/releases/tag/0.6.20mitrex_refsource_MISC
github.com/fedify-dev/hollo/releases/tag/0.7.2mitrex_refsource_MISC
github.com/fedify-dev/hollo/security/advisories/GHSA-6r2w-3pcj-v4v5mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000