Bitnami package
mastodon
pkg:bitnami/mastodon
Vulnerabilities (41)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-41259 | Hig | 7.5 | < 4.3.22 | 4.3.22 | Apr 23, 2026 | Mastodon is a free, open-source social network server based on ActivityPub. Prior to v4.5.9, v4.4.16, and v4.3.22, Mastodon allows restricting new user sign-up based on e-mail domain names, and performs basic validation on e-mail addresses, but fails to restrict characters that a | |
| CVE-2026-33869 | — | >= 4.4.0, < 4.4.15 | 4.4.15 | Mar 27, 2026 | Mastodon is a free, open-source social network server based on ActivityPub. In versions on the 4.5.x branch prior to 4.5.8 and on the 4.4.x branch prior to 4.4.15, an attacker that knows of a quote before it has reached a server can prevent it from being correctly processed on th | ||
| CVE-2026-33868 | — | < 4.3.21 | 4.3.21 | Mar 27, 2026 | Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.8, 4.4.15, and 4.3.21, an unauthenticated Open Redirect vulnerability (CWE-601) exists in the `/web/*` route due to improper handling of URL-encoded path segments. An attacker can cr | ||
| CVE-2026-27477 | — | >= 4.4.0, < 4.4.14 | 4.4.14 | Feb 24, 2026 | Mastodon is a free, open-source social network server based on ActivityPub. FASP registration requires manual approval by an administrator. In versions 4.4.0 through 4.4.13 and 4.5.0 through 4.5.6, an unauthenticated attacker can register a FASP with an attacker-chosen `base_url` | ||
| CVE-2026-27468 | — | >= 4.4.0, < 4.4.14 | 4.4.14 | Feb 24, 2026 | Mastodon is a free, open-source social network server based on ActivityPub. FASP registration requires manual approval by an administrator. In versions 4.4.0 through 4.4.13 and 4.5.0 through 4.5.6, actions performed by a FASP to subscribe to account/content lifecycle events or to | ||
| CVE-2026-25540 | — | < 4.5.6 | 4.5.6 | Feb 4, 2026 | Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.3.19, 4.4.13, 4.5.6, Mastodon is vulnerable to web cache poisoning via `Rails.cache. When AUTHORIZED_FETCH is enabled, the ActivityPub endpoints for pinned posts and featured hashtags | ||
| CVE-2026-23964 | — | < 4.3.18 | 4.3.18 | Jan 22, 2026 | Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.5, 4.4.12, and 4.3.18, an insecure direct object reference in the web push subscription update endpoint lets any authenticated user update another user's push subscription by guessin | ||
| CVE-2026-23963 | — | < 4.3.18 | 4.3.18 | Jan 22, 2026 | Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.5, 4.4.12, and 4.3.18, the server does not enforce a maximum length for the names of lists or filters, or for filter keywords, allowing any user to set an arbitrarily long string as | ||
| CVE-2026-23962 | — | < 4.3.18 | 4.3.18 | Jan 22, 2026 | Mastodon is a free, open-source social network server based on ActivityPub. Mastodon versions before v4.3.18, v4.4.12, and v4.5.5 do not have a limit on the maximum number of poll options for remote posts, allowing attackers to create polls with a very large amount of options, gr | ||
| CVE-2026-23961 | — | < 4.3.18 | 4.3.18 | Jan 22, 2026 | Mastodon is a free, open-source social network server based on ActivityPub. Mastodon allows server administrators to suspend remote users to prevent interactions. However, some logic errors allow already-known posts from such suspended users to appear in timelines if boosted. Fur | ||
| CVE-2026-22246 | — | < 4.3.17 | 4.3.17 | Jan 8, 2026 | Mastodon is a free, open-source social network server based on ActivityPub. Mastodon 4.3 added notifications of severed relationships, allowing end-users to inspect the relationships they lost as the result of a moderation action. The code allowing users to download lists of seve | ||
| CVE-2026-22245 | — | < 4.2.29 | 4.2.29 | Jan 8, 2026 | Mastodon is a free, open-source social network server based on ActivityPub. By nature, Mastodon performs a lot of outbound requests to user-provided domains. Mastodon, however, has some protection mechanism to disallow requests to local IP addresses (unless specified in `ALLOWED_ | ||
| CVE-2025-67500 | — | < 4.2.28 | 4.2.28 | Dec 9, 2025 | Mastodon is a free, open-source social network server based on ActivityPub. Versions 4.2.27 and prior, 4.3.0-beta.1 through 4.3.14, 4.4.0-beta.1 through 4.4.9, 4.5.0-beta.1 through 4.5.2 have discrepancies in error handling which allow checking whether a given status exists by se | ||
| CVE-2025-62605 | — | >= 4.4.0, < 4.4.8 | 4.4.8 | Oct 21, 2025 | Mastodon is a free, open-source social network server based on ActivityPub. In Mastodon version 4.4, support for verifiable quote posts with quote controls was added, but it is possible for an attacker to bypass these controls in Mastodon versions prior to 4.4.8 and 4.5.0-beta.2. | ||
| CVE-2025-62176 | — | < 4.2.27 | 4.2.27 | Oct 13, 2025 | Mastodon is a free, open-source social network server based on ActivityPub. In Mastodon before 4.4.6, 4.3.14, and 4.2.27, the streaming server accepts serving events for public timelines to clients using any valid authentication token, even if those tokens lack the read:statuses | ||
| CVE-2025-62175 | — | < 4.2.27 | 4.2.27 | Oct 13, 2025 | Mastodon is a free, open-source social network server based on ActivityPub. In versions before 4.4.6, 4.3.14, and 4.2.27, disabling or suspending a user account does not disconnect the account from the streaming API. This allows disabled or suspended accounts to continue receivin | ||
| CVE-2025-62174 | — | < 4.2.27 | 4.2.27 | Oct 13, 2025 | Mastodon is a free, open-source social network server based on ActivityPub. In Mastodon before 4.4.6, 4.3.14, and 4.2.27, when an administrator resets a user account's password via the command-line interface using `bin/tootctl accounts modify --reset-password`, active sessions a | ||
| CVE-2025-54879 | — | >= 3.1.5, < 4.2.24 | 4.2.24 | Aug 5, 2025 | Mastodon is a free, open-source social network server based on ActivityPub Mastodon which facilitates LDAP configuration for authentication. In versions 3.1.5 through 4.2.24, 4.3.0 through 4.3.11 and 4.4.0 through 4.4.3, Mastodon's rate-limiting system has a critical configuratio | ||
| CVE-2025-27399 | — | < 4.3.4 | 4.3.4 | Feb 27, 2025 | Mastodon is a self-hosted, federated microblogging platform. In versions prior to 4.1.23, 4.2.16, and 4.3.4, when the visibility for domain blocks/reasons is set to "users" (localized English string: "To logged-in users"), users that are not yet approved can view the block reason | ||
| CVE-2025-27157 | — | >= 4.2.0, < 4.3.4 | 4.3.4 | Feb 27, 2025 | Mastodon is a self-hosted, federated microblogging platform. Starting in version 4.2.0 and prior to versions 4.2.16 and 4.3.4, the rate limits are missing on `/auth/setup`. Without those rate limits, an attacker can craft requests that will send an email to an arbitrary addresses |
- affected < 4.3.22fixed 4.3.22
Mastodon is a free, open-source social network server based on ActivityPub. Prior to v4.5.9, v4.4.16, and v4.3.22, Mastodon allows restricting new user sign-up based on e-mail domain names, and performs basic validation on e-mail addresses, but fails to restrict characters that a
- CVE-2026-33869Mar 27, 2026affected >= 4.4.0, < 4.4.15fixed 4.4.15
Mastodon is a free, open-source social network server based on ActivityPub. In versions on the 4.5.x branch prior to 4.5.8 and on the 4.4.x branch prior to 4.4.15, an attacker that knows of a quote before it has reached a server can prevent it from being correctly processed on th
- CVE-2026-33868Mar 27, 2026affected < 4.3.21fixed 4.3.21
Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.8, 4.4.15, and 4.3.21, an unauthenticated Open Redirect vulnerability (CWE-601) exists in the `/web/*` route due to improper handling of URL-encoded path segments. An attacker can cr
- CVE-2026-27477Feb 24, 2026affected >= 4.4.0, < 4.4.14fixed 4.4.14
Mastodon is a free, open-source social network server based on ActivityPub. FASP registration requires manual approval by an administrator. In versions 4.4.0 through 4.4.13 and 4.5.0 through 4.5.6, an unauthenticated attacker can register a FASP with an attacker-chosen `base_url`
- CVE-2026-27468Feb 24, 2026affected >= 4.4.0, < 4.4.14fixed 4.4.14
Mastodon is a free, open-source social network server based on ActivityPub. FASP registration requires manual approval by an administrator. In versions 4.4.0 through 4.4.13 and 4.5.0 through 4.5.6, actions performed by a FASP to subscribe to account/content lifecycle events or to
- CVE-2026-25540Feb 4, 2026affected < 4.5.6fixed 4.5.6
Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.3.19, 4.4.13, 4.5.6, Mastodon is vulnerable to web cache poisoning via `Rails.cache. When AUTHORIZED_FETCH is enabled, the ActivityPub endpoints for pinned posts and featured hashtags
- CVE-2026-23964Jan 22, 2026affected < 4.3.18fixed 4.3.18
Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.5, 4.4.12, and 4.3.18, an insecure direct object reference in the web push subscription update endpoint lets any authenticated user update another user's push subscription by guessin
- CVE-2026-23963Jan 22, 2026affected < 4.3.18fixed 4.3.18
Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.5, 4.4.12, and 4.3.18, the server does not enforce a maximum length for the names of lists or filters, or for filter keywords, allowing any user to set an arbitrarily long string as
- CVE-2026-23962Jan 22, 2026affected < 4.3.18fixed 4.3.18
Mastodon is a free, open-source social network server based on ActivityPub. Mastodon versions before v4.3.18, v4.4.12, and v4.5.5 do not have a limit on the maximum number of poll options for remote posts, allowing attackers to create polls with a very large amount of options, gr
- CVE-2026-23961Jan 22, 2026affected < 4.3.18fixed 4.3.18
Mastodon is a free, open-source social network server based on ActivityPub. Mastodon allows server administrators to suspend remote users to prevent interactions. However, some logic errors allow already-known posts from such suspended users to appear in timelines if boosted. Fur
- CVE-2026-22246Jan 8, 2026affected < 4.3.17fixed 4.3.17
Mastodon is a free, open-source social network server based on ActivityPub. Mastodon 4.3 added notifications of severed relationships, allowing end-users to inspect the relationships they lost as the result of a moderation action. The code allowing users to download lists of seve
- CVE-2026-22245Jan 8, 2026affected < 4.2.29fixed 4.2.29
Mastodon is a free, open-source social network server based on ActivityPub. By nature, Mastodon performs a lot of outbound requests to user-provided domains. Mastodon, however, has some protection mechanism to disallow requests to local IP addresses (unless specified in `ALLOWED_
- CVE-2025-67500Dec 9, 2025affected < 4.2.28fixed 4.2.28
Mastodon is a free, open-source social network server based on ActivityPub. Versions 4.2.27 and prior, 4.3.0-beta.1 through 4.3.14, 4.4.0-beta.1 through 4.4.9, 4.5.0-beta.1 through 4.5.2 have discrepancies in error handling which allow checking whether a given status exists by se
- CVE-2025-62605Oct 21, 2025affected >= 4.4.0, < 4.4.8fixed 4.4.8
Mastodon is a free, open-source social network server based on ActivityPub. In Mastodon version 4.4, support for verifiable quote posts with quote controls was added, but it is possible for an attacker to bypass these controls in Mastodon versions prior to 4.4.8 and 4.5.0-beta.2.
- CVE-2025-62176Oct 13, 2025affected < 4.2.27fixed 4.2.27
Mastodon is a free, open-source social network server based on ActivityPub. In Mastodon before 4.4.6, 4.3.14, and 4.2.27, the streaming server accepts serving events for public timelines to clients using any valid authentication token, even if those tokens lack the read:statuses
- CVE-2025-62175Oct 13, 2025affected < 4.2.27fixed 4.2.27
Mastodon is a free, open-source social network server based on ActivityPub. In versions before 4.4.6, 4.3.14, and 4.2.27, disabling or suspending a user account does not disconnect the account from the streaming API. This allows disabled or suspended accounts to continue receivin
- CVE-2025-62174Oct 13, 2025affected < 4.2.27fixed 4.2.27
Mastodon is a free, open-source social network server based on ActivityPub. In Mastodon before 4.4.6, 4.3.14, and 4.2.27, when an administrator resets a user account's password via the command-line interface using `bin/tootctl accounts modify --reset-password`, active sessions a
- CVE-2025-54879Aug 5, 2025affected >= 3.1.5, < 4.2.24fixed 4.2.24
Mastodon is a free, open-source social network server based on ActivityPub Mastodon which facilitates LDAP configuration for authentication. In versions 3.1.5 through 4.2.24, 4.3.0 through 4.3.11 and 4.4.0 through 4.4.3, Mastodon's rate-limiting system has a critical configuratio
- CVE-2025-27399Feb 27, 2025affected < 4.3.4fixed 4.3.4
Mastodon is a self-hosted, federated microblogging platform. In versions prior to 4.1.23, 4.2.16, and 4.3.4, when the visibility for domain blocks/reasons is set to "users" (localized English string: "To logged-in users"), users that are not yet approved can view the block reason
- CVE-2025-27157Feb 27, 2025affected >= 4.2.0, < 4.3.4fixed 4.3.4
Mastodon is a self-hosted, federated microblogging platform. Starting in version 4.2.0 and prior to versions 4.2.16 and 4.3.4, the rate limits are missing on `/auth/setup`. Without those rate limits, an attacker can craft requests that will send an email to an arbitrary addresses
Page 1 of 3