VYPR
Vendor

Fedify Dev

Products
4
CVEs
10
Across products
11
Status
Private

Products

4

Recent CVEs

10
  • CVE-2025-54888HigAug 9, 2025
    risk 0.50cvss epss 0.01

    Fedify is a TypeScript library for building federated server apps powered by ActivityPub. In versions below 1.3.20, 1.4.0-dev.585 through 1.4.12, 1.5.0-dev.636 through 1.5.4, 1.6.0-dev.754 through 1.6.7, 1.7.0-pr.251.885 through 1.7.8 and 1.8.0-dev.909 through 1.8.4, an…

  • CVE-2026-50131HigJun 10, 2026
    risk 0.49cvss 8.6epss 0.00

    Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Fedify previously addressed SSRF/internal network access in GHSA-p9cg-vqcc-grcx by adding public URL validation before runtime document and media fetching. However, the IPv4 validation…

  • CVE-2026-34148HigApr 6, 2026
    risk 0.42cvss 7.5epss 0.01

    Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to 1.9.6, 1.10.5, 2.0.8, and 2.1.1, @fedify/fedify follows HTTP redirects recursively in its remote document loader and authenticated document loader without enforcing a maximum…

  • CVE-2024-39687HigJul 5, 2024
    risk 0.40cvss 7.2epss 0.01

    Fedify is a TypeScript library for building federated server apps powered by ActivityPub and other standards. At present, when Fedify needs to retrieve an object or activity from a remote activitypub server, it makes a HTTP request to the `@id` or other resources present within…

  • CVE-2026-42462HigJun 10, 2026
    risk 0.39cvss 7.0epss 0.00

    Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3, an attacker can make use of JSON-LD features to restructure a JSON-LD document that would change how Fedify interprets it…

  • CVE-2025-53941MedJul 17, 2025
    risk 0.33cvss 6.1epss 0.00

    Hollo is a federated single-user microblogging software designed to be federated through ActivityPub. Versions prior to 0.6.5 allow HTML form elements to be submitted, making the software vulnerable to HTML injection. Version 0.6.5 fixes the issue.

  • CVE-2025-23221MedJan 20, 2025
    risk 0.28cvss 5.4epss 0.01

    Fedify is a TypeScript library for building federated server apps powered by ActivityPub and other standards. This vulnerability allows a user to maneuver the Webfinger mechanism to perform a GET request to any internal resource on any Host, Port, URL combination regardless of…

  • CVE-2026-25808Feb 9, 2026
    risk 0.00cvss epss 0.00

    Hollo is a federated single-user microblogging software designed to be federated through ActivityPub. Prior to 0.6.20 and 0.7.2, there is a security vulnerability where DMs and followers-only posts were exposed through the ActivityPub outbox endpoint without authorization. This…

  • CVE-2025-68475Dec 22, 2025
    risk 0.00cvss epss 0.00

    Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.6.13, 1.7.14, 1.8.15, and 1.9.2, a Regular Expression Denial of Service (ReDoS) vulnerability exists in Fedify's document loader. The HTML parsing regex at…

  • CVE-2024-13874Apr 10, 2025
    risk 0.00cvss epss 0.00

    The Feedify WordPress plugin before 2.4.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin