Vendor CVEs
Mastodon
All CVEs
49 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-47777 | Hig | 0.42 | 7.5 | 0.00 | Jun 15, 2026 | Mastodon is a free, open-source social network server based on ActivityPub. In versions there is a missing condition in the check if remote accounts consented to be featured in a remote Collection could lead to attackers bypassing the check and faking consent. An attacker could… | ||
| CVE-2026-41259 | Hig | 0.42 | 7.5 | 0.00 | Apr 23, 2026 | Mastodon is a free, open-source social network server based on ActivityPub. Prior to v4.5.9, v4.4.16, and v4.3.22, Mastodon allows restricting new user sign-up based on e-mail domain names, and performs basic validation on e-mail addresses, but fails to restrict characters that… | ||
| CVE-2023-36460 | 0.03 | — | 0.37 | Jul 6, 2023 | Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 3.5.0 and prior to versions 3.5.9, 4.0.5, and 4.1.3, attackers using carefully crafted media files can cause Mastodon's media processing code to create arbitrary files at any… | |||
| CVE-2026-50129 | 0.00 | — | 0.00 | Jun 24, 2026 | Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.11, 4.4.18, and 4.3.24, a DoS can be triggered by (Uncaught Exception vulerability), due to missing exception handling in the math sanitizer. Malformed nodes can result in a DoS of a… | |||
| CVE-2026-50128 | 0.00 | — | 0.00 | Jun 24, 2026 | Mastodon is a free, open-source social network server based on ActivityPub. From 4.3.0 until 4.5.11 and 4.4.18, Mastodon has a feature to let websites credit authors of their articles. To prevent false attribution claims, Mastodon uses the attributionDomains JSON-LD term,… | |||
| CVE-2026-48028 | 0.00 | — | 0.00 | Jun 24, 2026 | Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, Mastodon's normalization of incoming activities signed with Linked-Data Signatures does not sufficiently protect the activities from a certain class of spoofing,… | |||
| CVE-2026-47389 | 0.00 | — | 0.00 | Jun 24, 2026 | Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, when using Ruby versions older than 3.4, PrivateAddressCheck.private_address? returns false for IPv4-mapped IPv6 addresses (::ffff:a.b.c.d) corresponding to some… | |||
| CVE-2026-46349 | 0.00 | — | 0.00 | Jun 24, 2026 | Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, Mastodon's normalization of incoming activities signed with Linked-Data Signatures does not sufficiently protect the activities from a certain class of spoofing,… | |||
| CVE-2026-46348 | 0.00 | — | 0.00 | Jun 24, 2026 | Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, the list of disallowed IP address ranges was lacking an IP address range that can be used to reach local IP addresses. An attacker can use an IP address in the… | |||
| CVE-2026-33869 | 0.00 | — | 0.00 | Mar 27, 2026 | Mastodon is a free, open-source social network server based on ActivityPub. In versions on the 4.5.x branch prior to 4.5.8 and on the 4.4.x branch prior to 4.4.15, an attacker that knows of a quote before it has reached a server can prevent it from being correctly processed on… | |||
| CVE-2026-33868 | 0.00 | — | 0.01 | Mar 27, 2026 | Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.8, 4.4.15, and 4.3.21, an unauthenticated Open Redirect vulnerability (CWE-601) exists in the `/web/*` route due to improper handling of URL-encoded path segments. An attacker can… | |||
| CVE-2026-27477 | 0.00 | — | 0.00 | Feb 24, 2026 | Mastodon is a free, open-source social network server based on ActivityPub. FASP registration requires manual approval by an administrator. In versions 4.4.0 through 4.4.13 and 4.5.0 through 4.5.6, an unauthenticated attacker can register a FASP with an attacker-chosen… | |||
| CVE-2026-27468 | 0.00 | — | 0.00 | Feb 24, 2026 | Mastodon is a free, open-source social network server based on ActivityPub. FASP registration requires manual approval by an administrator. In versions 4.4.0 through 4.4.13 and 4.5.0 through 4.5.6, actions performed by a FASP to subscribe to account/content lifecycle events or… | |||
| CVE-2026-25540 | 0.00 | — | 0.00 | Feb 4, 2026 | Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.3.19, 4.4.13, 4.5.6, Mastodon is vulnerable to web cache poisoning via `Rails.cache. When AUTHORIZED_FETCH is enabled, the ActivityPub endpoints for pinned posts and featured hashtags… | |||
| CVE-2026-23964 | 0.00 | — | 0.00 | Jan 22, 2026 | Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.5, 4.4.12, and 4.3.18, an insecure direct object reference in the web push subscription update endpoint lets any authenticated user update another user's push subscription by… | |||
| CVE-2026-23963 | 0.00 | — | 0.00 | Jan 22, 2026 | Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.5, 4.4.12, and 4.3.18, the server does not enforce a maximum length for the names of lists or filters, or for filter keywords, allowing any user to set an arbitrarily long string as… | |||
| CVE-2026-23962 | 0.00 | — | 0.00 | Jan 22, 2026 | Mastodon is a free, open-source social network server based on ActivityPub. Mastodon versions before v4.3.18, v4.4.12, and v4.5.5 do not have a limit on the maximum number of poll options for remote posts, allowing attackers to create polls with a very large amount of options,… | |||
| CVE-2026-23961 | 0.00 | — | 0.00 | Jan 22, 2026 | Mastodon is a free, open-source social network server based on ActivityPub. Mastodon allows server administrators to suspend remote users to prevent interactions. However, some logic errors allow already-known posts from such suspended users to appear in timelines if boosted.… | |||
| CVE-2026-22246 | 0.00 | — | 0.00 | Jan 8, 2026 | Mastodon is a free, open-source social network server based on ActivityPub. Mastodon 4.3 added notifications of severed relationships, allowing end-users to inspect the relationships they lost as the result of a moderation action. The code allowing users to download lists of… | |||
| CVE-2026-22245 | 0.00 | — | 0.00 | Jan 8, 2026 | Mastodon is a free, open-source social network server based on ActivityPub. By nature, Mastodon performs a lot of outbound requests to user-provided domains. Mastodon, however, has some protection mechanism to disallow requests to local IP addresses (unless specified in… | |||
| CVE-2025-67500 | 0.00 | — | 0.00 | Dec 9, 2025 | Mastodon is a free, open-source social network server based on ActivityPub. Versions 4.2.27 and prior, 4.3.0-beta.1 through 4.3.14, 4.4.0-beta.1 through 4.4.9, 4.5.0-beta.1 through 4.5.2 have discrepancies in error handling which allow checking whether a given status exists by… | |||
| CVE-2025-62605 | 0.00 | — | 0.00 | Oct 21, 2025 | Mastodon is a free, open-source social network server based on ActivityPub. In Mastodon version 4.4, support for verifiable quote posts with quote controls was added, but it is possible for an attacker to bypass these controls in Mastodon versions prior to 4.4.8 and… | |||
| CVE-2025-62176 | 0.00 | — | 0.00 | Oct 13, 2025 | Mastodon is a free, open-source social network server based on ActivityPub. In Mastodon before 4.4.6, 4.3.14, and 4.2.27, the streaming server accepts serving events for public timelines to clients using any valid authentication token, even if those tokens lack the read:statuses… | |||
| CVE-2025-62175 | 0.00 | — | 0.00 | Oct 13, 2025 | Mastodon is a free, open-source social network server based on ActivityPub. In versions before 4.4.6, 4.3.14, and 4.2.27, disabling or suspending a user account does not disconnect the account from the streaming API. This allows disabled or suspended accounts to continue… | |||
| CVE-2025-62174 | 0.00 | — | 0.00 | Oct 13, 2025 | Mastodon is a free, open-source social network server based on ActivityPub. In Mastodon before 4.4.6, 4.3.14, and 4.2.27, when an administrator resets a user account's password via the command-line interface using `bin/tootctl accounts modify --reset-password`, active sessions… | |||
| CVE-2025-54879 | 0.00 | — | 0.01 | Aug 5, 2025 | Mastodon is a free, open-source social network server based on ActivityPub Mastodon which facilitates LDAP configuration for authentication. In versions 3.1.5 through 4.2.24, 4.3.0 through 4.3.11 and 4.4.0 through 4.4.3, Mastodon's rate-limiting system has a critical… | |||
| CVE-2025-27399 | 0.00 | — | 0.00 | Feb 27, 2025 | Mastodon is a self-hosted, federated microblogging platform. In versions prior to 4.1.23, 4.2.16, and 4.3.4, when the visibility for domain blocks/reasons is set to "users" (localized English string: "To logged-in users"), users that are not yet approved can view the block… | |||
| CVE-2025-27157 | 0.00 | — | 0.00 | Feb 27, 2025 | Mastodon is a self-hosted, federated microblogging platform. Starting in version 4.2.0 and prior to versions 4.2.16 and 4.3.4, the rate limits are missing on `/auth/setup`. Without those rate limits, an attacker can craft requests that will send an email to an arbitrary… | |||
| CVE-2023-49952 | 0.00 | — | 0.00 | Nov 18, 2024 | Mastodon 4.1.x before 4.1.17 and 4.2.x before 4.2.9 allows a bypass of rate limiting via a crafted HTTP request header. | |||
| CVE-2024-34535 | 0.00 | — | 0.00 | Oct 3, 2024 | In Mastodon 4.1.6, API endpoint rate limiting can be bypassed by setting a crafted HTTP request header. | |||
| CVE-2024-37903 | 0.00 | — | 0.01 | Jul 5, 2024 | Mastodon is a self-hosted, federated microblogging platform. Starting in version 2.6.0 and prior to versions 4.1.18 and 4.2.10, by crafting specific activities, an attacker can extend the audience of a post they do not own to other Mastodon users on a target server, thus gaining… | |||
| CVE-2024-25623 | 0.00 | — | 0.01 | Feb 19, 2024 | Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.2.7, 4.1.15, 4.0.15, and 3.5.19, when fetching remote statuses, Mastodon doesn't check that the response from the remote server has a `Content-Type` header value of the Activity… | |||
| CVE-2024-25619 | 0.00 | — | 0.00 | Feb 14, 2024 | Mastodon is a free, open-source social network server based on ActivityPub. When an OAuth Application is destroyed, the streaming server wasn't being informed that the Access Tokens had also been destroyed, this could have posed security risks to users by allowing an application… | |||
| CVE-2024-25618 | 0.00 | — | 0.00 | Feb 14, 2024 | Mastodon is a free, open-source social network server based on ActivityPub. Mastodon allows new identities from configured authentication providers (CAS, SAML, OIDC) to attach to existing local users with the same e-mail address. This results in a possible account takeover if… | |||
| CVE-2024-23832 | 0.00 | — | 0.02 | Feb 1, 2024 | Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Due to insufficient origin validation in all Mastodon, attackers can impersonate and take over any remote account. Every Mastodon version prior to… | |||
| CVE-2023-42452 | 0.00 | — | 0.00 | Sep 19, 2023 | Mastodon is a free, open-source social network server based on ActivityPub. In versions on the 4.x branch prior to versions 4.0.10, 4.2.8, and 4.2.0-rc2, under certain conditions, attackers can abuse the translation feature to bypass the server-side HTML sanitization, allowing… | |||
| CVE-2023-42451 | 0.00 | — | 0.01 | Sep 19, 2023 | Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 3.5.14, 4.0.10, 4.1.8, and 4.2.0-rc2, under certain circumstances, attackers can exploit a flaw in domain name normalization to spoof domains they do not own. Versions 3.5.14, 4.0.10,… | |||
| CVE-2023-42450 | 0.00 | — | 0.00 | Sep 19, 2023 | Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 4.2.0-beta1 and prior to version 4.2.0-rc2, by crafting specific input, attackers can inject arbitrary data into HTTP requests issued by Mastodon. This can be used to perform confused… | |||
| CVE-2023-36462 | 0.00 | — | 0.01 | Jul 6, 2023 | Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 2.6.0 and prior to versions 3.5.9, 4.0.5, and 4.1.3, an attacker can craft a verified profile link using specific formatting to conceal arbitrary parts of the link, enabling it to… | |||
| CVE-2023-36461 | 0.00 | — | 0.01 | Jul 6, 2023 | Mastodon is a free, open-source social network server based on ActivityPub. When performing outgoing HTTP queries, Mastodon sets a timeout on individual read operations. Prior to versions 3.5.9, 4.0.5, and 4.1.3, a malicious server can indefinitely extend the duration of the… | |||
| CVE-2023-36459 | 0.00 | — | 0.01 | Jul 6, 2023 | Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 1.3 and prior to versions 3.5.9, 4.0.5, and 4.1.3, an attacker using carefully crafted oEmbed data can bypass the HTML sanitization performed by Mastodon and include arbitrary HTML in… | |||
| CVE-2023-28853 | 0.00 | — | 0.01 | Apr 4, 2023 | Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Starting in version 2.5.0 and prior to versions 3.5.8, 4.0.4, and 4.1.2, the LDAP query made during login is insecure and the attacker can perform… | |||
| CVE-2022-48364 | 0.00 | — | 0.01 | Mar 6, 2023 | The undo_mark_statuses_as_sensitive method in app/services/approve_appeal_service.rb in Mastodon 3.5.x before 3.5.3 does not use the server's representative account, resulting in moderator identity disclosure when a moderator approves the appeal of a user whose status update was… | |||
| CVE-2022-46405 | 0.00 | — | 0.01 | Dec 4, 2022 | Mastodon through 4.0.2 allows attackers to cause a denial of service (large Sidekiq pull queue) by creating bot accounts that follow attacker-controlled accounts on certain other servers associated with a wildcard DNS A record, such that there is uncontrolled recursion of… | |||
| CVE-2022-2166 | 0.00 | — | 0.01 | Nov 16, 2022 | Improper Restriction of Excessive Authentication Attempts in GitHub repository mastodon/mastodon prior to 4.0.0. | |||
| CVE-2022-31263 | 0.00 | — | 0.01 | May 24, 2022 | app/models/user.rb in Mastodon before 3.5.0 allows a bypass of e-mail restrictions. | |||
| CVE-2022-24307 | 0.00 | — | 0.01 | Feb 3, 2022 | Mastodon before 3.3.2 and 3.4.x before 3.4.6 has incorrect access control because it does not compact incoming signed JSON-LD activities. (JSON-LD signing has been supported since version 1.6.0.) | |||
| CVE-2022-0432 | 0.00 | — | 0.04 | Feb 2, 2022 | Prototype Pollution in GitHub repository mastodon/mastodon prior to 3.5.0. | |||
| CVE-2018-21018 | 0.00 | — | 0.03 | Sep 22, 2019 | Mastodon before 2.6.3 mishandles timeouts of incompletely established sessions. |
- risk 0.42cvss 7.5epss 0.00
Mastodon is a free, open-source social network server based on ActivityPub. In versions there is a missing condition in the check if remote accounts consented to be featured in a remote Collection could lead to attackers bypassing the check and faking consent. An attacker could…
- risk 0.42cvss 7.5epss 0.00
Mastodon is a free, open-source social network server based on ActivityPub. Prior to v4.5.9, v4.4.16, and v4.3.22, Mastodon allows restricting new user sign-up based on e-mail domain names, and performs basic validation on e-mail addresses, but fails to restrict characters that…
- CVE-2023-36460Jul 6, 2023risk 0.03cvss —epss 0.37
Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 3.5.0 and prior to versions 3.5.9, 4.0.5, and 4.1.3, attackers using carefully crafted media files can cause Mastodon's media processing code to create arbitrary files at any…
- CVE-2026-50129Jun 24, 2026risk 0.00cvss —epss 0.00
Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.11, 4.4.18, and 4.3.24, a DoS can be triggered by (Uncaught Exception vulerability), due to missing exception handling in the math sanitizer. Malformed nodes can result in a DoS of a…
- CVE-2026-50128Jun 24, 2026risk 0.00cvss —epss 0.00
Mastodon is a free, open-source social network server based on ActivityPub. From 4.3.0 until 4.5.11 and 4.4.18, Mastodon has a feature to let websites credit authors of their articles. To prevent false attribution claims, Mastodon uses the attributionDomains JSON-LD term,…
- CVE-2026-48028Jun 24, 2026risk 0.00cvss —epss 0.00
Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, Mastodon's normalization of incoming activities signed with Linked-Data Signatures does not sufficiently protect the activities from a certain class of spoofing,…
- CVE-2026-47389Jun 24, 2026risk 0.00cvss —epss 0.00
Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, when using Ruby versions older than 3.4, PrivateAddressCheck.private_address? returns false for IPv4-mapped IPv6 addresses (::ffff:a.b.c.d) corresponding to some…
- CVE-2026-46349Jun 24, 2026risk 0.00cvss —epss 0.00
Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, Mastodon's normalization of incoming activities signed with Linked-Data Signatures does not sufficiently protect the activities from a certain class of spoofing,…
- CVE-2026-46348Jun 24, 2026risk 0.00cvss —epss 0.00
Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, the list of disallowed IP address ranges was lacking an IP address range that can be used to reach local IP addresses. An attacker can use an IP address in the…
- CVE-2026-33869Mar 27, 2026risk 0.00cvss —epss 0.00
Mastodon is a free, open-source social network server based on ActivityPub. In versions on the 4.5.x branch prior to 4.5.8 and on the 4.4.x branch prior to 4.4.15, an attacker that knows of a quote before it has reached a server can prevent it from being correctly processed on…
- CVE-2026-33868Mar 27, 2026risk 0.00cvss —epss 0.01
Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.8, 4.4.15, and 4.3.21, an unauthenticated Open Redirect vulnerability (CWE-601) exists in the `/web/*` route due to improper handling of URL-encoded path segments. An attacker can…
- CVE-2026-27477Feb 24, 2026risk 0.00cvss —epss 0.00
Mastodon is a free, open-source social network server based on ActivityPub. FASP registration requires manual approval by an administrator. In versions 4.4.0 through 4.4.13 and 4.5.0 through 4.5.6, an unauthenticated attacker can register a FASP with an attacker-chosen…
- CVE-2026-27468Feb 24, 2026risk 0.00cvss —epss 0.00
Mastodon is a free, open-source social network server based on ActivityPub. FASP registration requires manual approval by an administrator. In versions 4.4.0 through 4.4.13 and 4.5.0 through 4.5.6, actions performed by a FASP to subscribe to account/content lifecycle events or…
- CVE-2026-25540Feb 4, 2026risk 0.00cvss —epss 0.00
Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.3.19, 4.4.13, 4.5.6, Mastodon is vulnerable to web cache poisoning via `Rails.cache. When AUTHORIZED_FETCH is enabled, the ActivityPub endpoints for pinned posts and featured hashtags…
- CVE-2026-23964Jan 22, 2026risk 0.00cvss —epss 0.00
Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.5, 4.4.12, and 4.3.18, an insecure direct object reference in the web push subscription update endpoint lets any authenticated user update another user's push subscription by…
- CVE-2026-23963Jan 22, 2026risk 0.00cvss —epss 0.00
Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.5, 4.4.12, and 4.3.18, the server does not enforce a maximum length for the names of lists or filters, or for filter keywords, allowing any user to set an arbitrarily long string as…
- CVE-2026-23962Jan 22, 2026risk 0.00cvss —epss 0.00
Mastodon is a free, open-source social network server based on ActivityPub. Mastodon versions before v4.3.18, v4.4.12, and v4.5.5 do not have a limit on the maximum number of poll options for remote posts, allowing attackers to create polls with a very large amount of options,…
- CVE-2026-23961Jan 22, 2026risk 0.00cvss —epss 0.00
Mastodon is a free, open-source social network server based on ActivityPub. Mastodon allows server administrators to suspend remote users to prevent interactions. However, some logic errors allow already-known posts from such suspended users to appear in timelines if boosted.…
- CVE-2026-22246Jan 8, 2026risk 0.00cvss —epss 0.00
Mastodon is a free, open-source social network server based on ActivityPub. Mastodon 4.3 added notifications of severed relationships, allowing end-users to inspect the relationships they lost as the result of a moderation action. The code allowing users to download lists of…
- CVE-2026-22245Jan 8, 2026risk 0.00cvss —epss 0.00
Mastodon is a free, open-source social network server based on ActivityPub. By nature, Mastodon performs a lot of outbound requests to user-provided domains. Mastodon, however, has some protection mechanism to disallow requests to local IP addresses (unless specified in…
- CVE-2025-67500Dec 9, 2025risk 0.00cvss —epss 0.00
Mastodon is a free, open-source social network server based on ActivityPub. Versions 4.2.27 and prior, 4.3.0-beta.1 through 4.3.14, 4.4.0-beta.1 through 4.4.9, 4.5.0-beta.1 through 4.5.2 have discrepancies in error handling which allow checking whether a given status exists by…
- CVE-2025-62605Oct 21, 2025risk 0.00cvss —epss 0.00
Mastodon is a free, open-source social network server based on ActivityPub. In Mastodon version 4.4, support for verifiable quote posts with quote controls was added, but it is possible for an attacker to bypass these controls in Mastodon versions prior to 4.4.8 and…
- CVE-2025-62176Oct 13, 2025risk 0.00cvss —epss 0.00
Mastodon is a free, open-source social network server based on ActivityPub. In Mastodon before 4.4.6, 4.3.14, and 4.2.27, the streaming server accepts serving events for public timelines to clients using any valid authentication token, even if those tokens lack the read:statuses…
- CVE-2025-62175Oct 13, 2025risk 0.00cvss —epss 0.00
Mastodon is a free, open-source social network server based on ActivityPub. In versions before 4.4.6, 4.3.14, and 4.2.27, disabling or suspending a user account does not disconnect the account from the streaming API. This allows disabled or suspended accounts to continue…
- CVE-2025-62174Oct 13, 2025risk 0.00cvss —epss 0.00
Mastodon is a free, open-source social network server based on ActivityPub. In Mastodon before 4.4.6, 4.3.14, and 4.2.27, when an administrator resets a user account's password via the command-line interface using `bin/tootctl accounts modify --reset-password`, active sessions…
- CVE-2025-54879Aug 5, 2025risk 0.00cvss —epss 0.01
Mastodon is a free, open-source social network server based on ActivityPub Mastodon which facilitates LDAP configuration for authentication. In versions 3.1.5 through 4.2.24, 4.3.0 through 4.3.11 and 4.4.0 through 4.4.3, Mastodon's rate-limiting system has a critical…
- CVE-2025-27399Feb 27, 2025risk 0.00cvss —epss 0.00
Mastodon is a self-hosted, federated microblogging platform. In versions prior to 4.1.23, 4.2.16, and 4.3.4, when the visibility for domain blocks/reasons is set to "users" (localized English string: "To logged-in users"), users that are not yet approved can view the block…
- CVE-2025-27157Feb 27, 2025risk 0.00cvss —epss 0.00
Mastodon is a self-hosted, federated microblogging platform. Starting in version 4.2.0 and prior to versions 4.2.16 and 4.3.4, the rate limits are missing on `/auth/setup`. Without those rate limits, an attacker can craft requests that will send an email to an arbitrary…
- CVE-2023-49952Nov 18, 2024risk 0.00cvss —epss 0.00
Mastodon 4.1.x before 4.1.17 and 4.2.x before 4.2.9 allows a bypass of rate limiting via a crafted HTTP request header.
- CVE-2024-34535Oct 3, 2024risk 0.00cvss —epss 0.00
In Mastodon 4.1.6, API endpoint rate limiting can be bypassed by setting a crafted HTTP request header.
- CVE-2024-37903Jul 5, 2024risk 0.00cvss —epss 0.01
Mastodon is a self-hosted, federated microblogging platform. Starting in version 2.6.0 and prior to versions 4.1.18 and 4.2.10, by crafting specific activities, an attacker can extend the audience of a post they do not own to other Mastodon users on a target server, thus gaining…
- CVE-2024-25623Feb 19, 2024risk 0.00cvss —epss 0.01
Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.2.7, 4.1.15, 4.0.15, and 3.5.19, when fetching remote statuses, Mastodon doesn't check that the response from the remote server has a `Content-Type` header value of the Activity…
- CVE-2024-25619Feb 14, 2024risk 0.00cvss —epss 0.00
Mastodon is a free, open-source social network server based on ActivityPub. When an OAuth Application is destroyed, the streaming server wasn't being informed that the Access Tokens had also been destroyed, this could have posed security risks to users by allowing an application…
- CVE-2024-25618Feb 14, 2024risk 0.00cvss —epss 0.00
Mastodon is a free, open-source social network server based on ActivityPub. Mastodon allows new identities from configured authentication providers (CAS, SAML, OIDC) to attach to existing local users with the same e-mail address. This results in a possible account takeover if…
- CVE-2024-23832Feb 1, 2024risk 0.00cvss —epss 0.02
Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Due to insufficient origin validation in all Mastodon, attackers can impersonate and take over any remote account. Every Mastodon version prior to…
- CVE-2023-42452Sep 19, 2023risk 0.00cvss —epss 0.00
Mastodon is a free, open-source social network server based on ActivityPub. In versions on the 4.x branch prior to versions 4.0.10, 4.2.8, and 4.2.0-rc2, under certain conditions, attackers can abuse the translation feature to bypass the server-side HTML sanitization, allowing…
- CVE-2023-42451Sep 19, 2023risk 0.00cvss —epss 0.01
Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 3.5.14, 4.0.10, 4.1.8, and 4.2.0-rc2, under certain circumstances, attackers can exploit a flaw in domain name normalization to spoof domains they do not own. Versions 3.5.14, 4.0.10,…
- CVE-2023-42450Sep 19, 2023risk 0.00cvss —epss 0.00
Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 4.2.0-beta1 and prior to version 4.2.0-rc2, by crafting specific input, attackers can inject arbitrary data into HTTP requests issued by Mastodon. This can be used to perform confused…
- CVE-2023-36462Jul 6, 2023risk 0.00cvss —epss 0.01
Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 2.6.0 and prior to versions 3.5.9, 4.0.5, and 4.1.3, an attacker can craft a verified profile link using specific formatting to conceal arbitrary parts of the link, enabling it to…
- CVE-2023-36461Jul 6, 2023risk 0.00cvss —epss 0.01
Mastodon is a free, open-source social network server based on ActivityPub. When performing outgoing HTTP queries, Mastodon sets a timeout on individual read operations. Prior to versions 3.5.9, 4.0.5, and 4.1.3, a malicious server can indefinitely extend the duration of the…
- CVE-2023-36459Jul 6, 2023risk 0.00cvss —epss 0.01
Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 1.3 and prior to versions 3.5.9, 4.0.5, and 4.1.3, an attacker using carefully crafted oEmbed data can bypass the HTML sanitization performed by Mastodon and include arbitrary HTML in…
- CVE-2023-28853Apr 4, 2023risk 0.00cvss —epss 0.01
Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Starting in version 2.5.0 and prior to versions 3.5.8, 4.0.4, and 4.1.2, the LDAP query made during login is insecure and the attacker can perform…
- CVE-2022-48364Mar 6, 2023risk 0.00cvss —epss 0.01
The undo_mark_statuses_as_sensitive method in app/services/approve_appeal_service.rb in Mastodon 3.5.x before 3.5.3 does not use the server's representative account, resulting in moderator identity disclosure when a moderator approves the appeal of a user whose status update was…
- CVE-2022-46405Dec 4, 2022risk 0.00cvss —epss 0.01
Mastodon through 4.0.2 allows attackers to cause a denial of service (large Sidekiq pull queue) by creating bot accounts that follow attacker-controlled accounts on certain other servers associated with a wildcard DNS A record, such that there is uncontrolled recursion of…
- CVE-2022-2166Nov 16, 2022risk 0.00cvss —epss 0.01
Improper Restriction of Excessive Authentication Attempts in GitHub repository mastodon/mastodon prior to 4.0.0.
- CVE-2022-31263May 24, 2022risk 0.00cvss —epss 0.01
app/models/user.rb in Mastodon before 3.5.0 allows a bypass of e-mail restrictions.
- CVE-2022-24307Feb 3, 2022risk 0.00cvss —epss 0.01
Mastodon before 3.3.2 and 3.4.x before 3.4.6 has incorrect access control because it does not compact incoming signed JSON-LD activities. (JSON-LD signing has been supported since version 1.6.0.)
- CVE-2022-0432Feb 2, 2022risk 0.00cvss —epss 0.04
Prototype Pollution in GitHub repository mastodon/mastodon prior to 3.5.0.
- CVE-2018-21018Sep 22, 2019risk 0.00cvss —epss 0.03
Mastodon before 2.6.3 mishandles timeouts of incompletely established sessions.