High severity7.0GHSA Advisory· Published Jun 10, 2026· Updated Jun 11, 2026
CVE-2026-42462
CVE-2026-42462
Description
Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3, an attacker can make use of JSON-LD features to restructure a JSON-LD document that would change how Fedify interprets it without changing its Linked Data Signature, allowing them to alter a third-party signed activity they have received. Versions 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3 fix the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@fedify/fedifynpm | >= 2.2.0, < 2.2.3 | 2.2.3 |
@fedify/fedifynpm | >= 2.1.0, < 2.1.14 | 2.1.14 |
@fedify/fedifynpm | >= 2.0.0, < 2.0.18 | 2.0.18 |
@fedify/fedifynpm | >= 1.10.0, < 1.10.10 | 1.10.10 |
@fedify/fedifynpm | < 1.9.11 | 1.9.11 |
Affected products
2- Range: < 2.2.3
Patches
Vulnerability mechanics
References
4News mentions
0No linked articles in our index yet.