VYPR

Vendor CVEs

Mastodon

All CVEs

49 total · sorted by risk
  • CVE-2026-47777HigJun 15, 2026
    risk 0.42cvss 7.5epss 0.00

    Mastodon is a free, open-source social network server based on ActivityPub. In versions there is a missing condition in the check if remote accounts consented to be featured in a remote Collection could lead to attackers bypassing the check and faking consent. An attacker could…

  • CVE-2026-41259HigApr 23, 2026
    risk 0.42cvss 7.5epss 0.00

    Mastodon is a free, open-source social network server based on ActivityPub. Prior to v4.5.9, v4.4.16, and v4.3.22, Mastodon allows restricting new user sign-up based on e-mail domain names, and performs basic validation on e-mail addresses, but fails to restrict characters that…

  • CVE-2023-36460Jul 6, 2023
    risk 0.03cvss epss 0.37

    Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 3.5.0 and prior to versions 3.5.9, 4.0.5, and 4.1.3, attackers using carefully crafted media files can cause Mastodon's media processing code to create arbitrary files at any…

  • CVE-2026-50129Jun 24, 2026
    risk 0.00cvss epss 0.00

    Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.11, 4.4.18, and 4.3.24, a DoS can be triggered by (Uncaught Exception vulerability), due to missing exception handling in the math sanitizer. Malformed nodes can result in a DoS of a…

  • CVE-2026-50128Jun 24, 2026
    risk 0.00cvss epss 0.00

    Mastodon is a free, open-source social network server based on ActivityPub. From 4.3.0 until 4.5.11 and 4.4.18, Mastodon has a feature to let websites credit authors of their articles. To prevent false attribution claims, Mastodon uses the attributionDomains JSON-LD term,…

  • CVE-2026-48028Jun 24, 2026
    risk 0.00cvss epss 0.00

    Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, Mastodon's normalization of incoming activities signed with Linked-Data Signatures does not sufficiently protect the activities from a certain class of spoofing,…

  • CVE-2026-47389Jun 24, 2026
    risk 0.00cvss epss 0.00

    Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, when using Ruby versions older than 3.4, PrivateAddressCheck.private_address? returns false for IPv4-mapped IPv6 addresses (::ffff:a.b.c.d) corresponding to some…

  • CVE-2026-46349Jun 24, 2026
    risk 0.00cvss epss 0.00

    Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, Mastodon's normalization of incoming activities signed with Linked-Data Signatures does not sufficiently protect the activities from a certain class of spoofing,…

  • CVE-2026-46348Jun 24, 2026
    risk 0.00cvss epss 0.00

    Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, the list of disallowed IP address ranges was lacking an IP address range that can be used to reach local IP addresses. An attacker can use an IP address in the…

  • CVE-2026-33869Mar 27, 2026
    risk 0.00cvss epss 0.00

    Mastodon is a free, open-source social network server based on ActivityPub. In versions on the 4.5.x branch prior to 4.5.8 and on the 4.4.x branch prior to 4.4.15, an attacker that knows of a quote before it has reached a server can prevent it from being correctly processed on…

  • CVE-2026-33868Mar 27, 2026
    risk 0.00cvss epss 0.01

    Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.8, 4.4.15, and 4.3.21, an unauthenticated Open Redirect vulnerability (CWE-601) exists in the `/web/*` route due to improper handling of URL-encoded path segments. An attacker can…

  • CVE-2026-27477Feb 24, 2026
    risk 0.00cvss epss 0.00

    Mastodon is a free, open-source social network server based on ActivityPub. FASP registration requires manual approval by an administrator. In versions 4.4.0 through 4.4.13 and 4.5.0 through 4.5.6, an unauthenticated attacker can register a FASP with an attacker-chosen…

  • CVE-2026-27468Feb 24, 2026
    risk 0.00cvss epss 0.00

    Mastodon is a free, open-source social network server based on ActivityPub. FASP registration requires manual approval by an administrator. In versions 4.4.0 through 4.4.13 and 4.5.0 through 4.5.6, actions performed by a FASP to subscribe to account/content lifecycle events or…

  • CVE-2026-25540Feb 4, 2026
    risk 0.00cvss epss 0.00

    Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.3.19, 4.4.13, 4.5.6, Mastodon is vulnerable to web cache poisoning via `Rails.cache. When AUTHORIZED_FETCH is enabled, the ActivityPub endpoints for pinned posts and featured hashtags…

  • CVE-2026-23964Jan 22, 2026
    risk 0.00cvss epss 0.00

    Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.5, 4.4.12, and 4.3.18, an insecure direct object reference in the web push subscription update endpoint lets any authenticated user update another user's push subscription by…

  • CVE-2026-23963Jan 22, 2026
    risk 0.00cvss epss 0.00

    Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.5, 4.4.12, and 4.3.18, the server does not enforce a maximum length for the names of lists or filters, or for filter keywords, allowing any user to set an arbitrarily long string as…

  • CVE-2026-23962Jan 22, 2026
    risk 0.00cvss epss 0.00

    Mastodon is a free, open-source social network server based on ActivityPub. Mastodon versions before v4.3.18, v4.4.12, and v4.5.5 do not have a limit on the maximum number of poll options for remote posts, allowing attackers to create polls with a very large amount of options,…

  • CVE-2026-23961Jan 22, 2026
    risk 0.00cvss epss 0.00

    Mastodon is a free, open-source social network server based on ActivityPub. Mastodon allows server administrators to suspend remote users to prevent interactions. However, some logic errors allow already-known posts from such suspended users to appear in timelines if boosted.…

  • CVE-2026-22246Jan 8, 2026
    risk 0.00cvss epss 0.00

    Mastodon is a free, open-source social network server based on ActivityPub. Mastodon 4.3 added notifications of severed relationships, allowing end-users to inspect the relationships they lost as the result of a moderation action. The code allowing users to download lists of…

  • CVE-2026-22245Jan 8, 2026
    risk 0.00cvss epss 0.00

    Mastodon is a free, open-source social network server based on ActivityPub. By nature, Mastodon performs a lot of outbound requests to user-provided domains. Mastodon, however, has some protection mechanism to disallow requests to local IP addresses (unless specified in…

  • CVE-2025-67500Dec 9, 2025
    risk 0.00cvss epss 0.00

    Mastodon is a free, open-source social network server based on ActivityPub. Versions 4.2.27 and prior, 4.3.0-beta.1 through 4.3.14, 4.4.0-beta.1 through 4.4.9, 4.5.0-beta.1 through 4.5.2 have discrepancies in error handling which allow checking whether a given status exists by…

  • CVE-2025-62605Oct 21, 2025
    risk 0.00cvss epss 0.00

    Mastodon is a free, open-source social network server based on ActivityPub. In Mastodon version 4.4, support for verifiable quote posts with quote controls was added, but it is possible for an attacker to bypass these controls in Mastodon versions prior to 4.4.8 and…

  • CVE-2025-62176Oct 13, 2025
    risk 0.00cvss epss 0.00

    Mastodon is a free, open-source social network server based on ActivityPub. In Mastodon before 4.4.6, 4.3.14, and 4.2.27, the streaming server accepts serving events for public timelines to clients using any valid authentication token, even if those tokens lack the read:statuses…

  • CVE-2025-62175Oct 13, 2025
    risk 0.00cvss epss 0.00

    Mastodon is a free, open-source social network server based on ActivityPub. In versions before 4.4.6, 4.3.14, and 4.2.27, disabling or suspending a user account does not disconnect the account from the streaming API. This allows disabled or suspended accounts to continue…

  • CVE-2025-62174Oct 13, 2025
    risk 0.00cvss epss 0.00

    Mastodon is a free, open-source social network server based on ActivityPub. In Mastodon before 4.4.6, 4.3.14, and 4.2.27, when an administrator resets a user account's password via the command-line interface using `bin/tootctl accounts modify --reset-password`, active sessions…

  • CVE-2025-54879Aug 5, 2025
    risk 0.00cvss epss 0.01

    Mastodon is a free, open-source social network server based on ActivityPub Mastodon which facilitates LDAP configuration for authentication. In versions 3.1.5 through 4.2.24, 4.3.0 through 4.3.11 and 4.4.0 through 4.4.3, Mastodon's rate-limiting system has a critical…

  • CVE-2025-27399Feb 27, 2025
    risk 0.00cvss epss 0.00

    Mastodon is a self-hosted, federated microblogging platform. In versions prior to 4.1.23, 4.2.16, and 4.3.4, when the visibility for domain blocks/reasons is set to "users" (localized English string: "To logged-in users"), users that are not yet approved can view the block…

  • CVE-2025-27157Feb 27, 2025
    risk 0.00cvss epss 0.00

    Mastodon is a self-hosted, federated microblogging platform. Starting in version 4.2.0 and prior to versions 4.2.16 and 4.3.4, the rate limits are missing on `/auth/setup`. Without those rate limits, an attacker can craft requests that will send an email to an arbitrary…

  • CVE-2023-49952Nov 18, 2024
    risk 0.00cvss epss 0.00

    Mastodon 4.1.x before 4.1.17 and 4.2.x before 4.2.9 allows a bypass of rate limiting via a crafted HTTP request header.

  • CVE-2024-34535Oct 3, 2024
    risk 0.00cvss epss 0.00

    In Mastodon 4.1.6, API endpoint rate limiting can be bypassed by setting a crafted HTTP request header.

  • CVE-2024-37903Jul 5, 2024
    risk 0.00cvss epss 0.01

    Mastodon is a self-hosted, federated microblogging platform. Starting in version 2.6.0 and prior to versions 4.1.18 and 4.2.10, by crafting specific activities, an attacker can extend the audience of a post they do not own to other Mastodon users on a target server, thus gaining…

  • CVE-2024-25623Feb 19, 2024
    risk 0.00cvss epss 0.01

    Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.2.7, 4.1.15, 4.0.15, and 3.5.19, when fetching remote statuses, Mastodon doesn't check that the response from the remote server has a `Content-Type` header value of the Activity…

  • CVE-2024-25619Feb 14, 2024
    risk 0.00cvss epss 0.00

    Mastodon is a free, open-source social network server based on ActivityPub. When an OAuth Application is destroyed, the streaming server wasn't being informed that the Access Tokens had also been destroyed, this could have posed security risks to users by allowing an application…

  • CVE-2024-25618Feb 14, 2024
    risk 0.00cvss epss 0.00

    Mastodon is a free, open-source social network server based on ActivityPub. Mastodon allows new identities from configured authentication providers (CAS, SAML, OIDC) to attach to existing local users with the same e-mail address. This results in a possible account takeover if…

  • CVE-2024-23832Feb 1, 2024
    risk 0.00cvss epss 0.02

    Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Due to insufficient origin validation in all Mastodon, attackers can impersonate and take over any remote account. Every Mastodon version prior to…

  • CVE-2023-42452Sep 19, 2023
    risk 0.00cvss epss 0.00

    Mastodon is a free, open-source social network server based on ActivityPub. In versions on the 4.x branch prior to versions 4.0.10, 4.2.8, and 4.2.0-rc2, under certain conditions, attackers can abuse the translation feature to bypass the server-side HTML sanitization, allowing…

  • CVE-2023-42451Sep 19, 2023
    risk 0.00cvss epss 0.01

    Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 3.5.14, 4.0.10, 4.1.8, and 4.2.0-rc2, under certain circumstances, attackers can exploit a flaw in domain name normalization to spoof domains they do not own. Versions 3.5.14, 4.0.10,…

  • CVE-2023-42450Sep 19, 2023
    risk 0.00cvss epss 0.00

    Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 4.2.0-beta1 and prior to version 4.2.0-rc2, by crafting specific input, attackers can inject arbitrary data into HTTP requests issued by Mastodon. This can be used to perform confused…

  • CVE-2023-36462Jul 6, 2023
    risk 0.00cvss epss 0.01

    Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 2.6.0 and prior to versions 3.5.9, 4.0.5, and 4.1.3, an attacker can craft a verified profile link using specific formatting to conceal arbitrary parts of the link, enabling it to…

  • CVE-2023-36461Jul 6, 2023
    risk 0.00cvss epss 0.01

    Mastodon is a free, open-source social network server based on ActivityPub. When performing outgoing HTTP queries, Mastodon sets a timeout on individual read operations. Prior to versions 3.5.9, 4.0.5, and 4.1.3, a malicious server can indefinitely extend the duration of the…

  • CVE-2023-36459Jul 6, 2023
    risk 0.00cvss epss 0.01

    Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 1.3 and prior to versions 3.5.9, 4.0.5, and 4.1.3, an attacker using carefully crafted oEmbed data can bypass the HTML sanitization performed by Mastodon and include arbitrary HTML in…

  • CVE-2023-28853Apr 4, 2023
    risk 0.00cvss epss 0.01

    Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Starting in version 2.5.0 and prior to versions 3.5.8, 4.0.4, and 4.1.2, the LDAP query made during login is insecure and the attacker can perform…

  • CVE-2022-48364Mar 6, 2023
    risk 0.00cvss epss 0.01

    The undo_mark_statuses_as_sensitive method in app/services/approve_appeal_service.rb in Mastodon 3.5.x before 3.5.3 does not use the server's representative account, resulting in moderator identity disclosure when a moderator approves the appeal of a user whose status update was…

  • CVE-2022-46405Dec 4, 2022
    risk 0.00cvss epss 0.01

    Mastodon through 4.0.2 allows attackers to cause a denial of service (large Sidekiq pull queue) by creating bot accounts that follow attacker-controlled accounts on certain other servers associated with a wildcard DNS A record, such that there is uncontrolled recursion of…

  • CVE-2022-2166Nov 16, 2022
    risk 0.00cvss epss 0.01

    Improper Restriction of Excessive Authentication Attempts in GitHub repository mastodon/mastodon prior to 4.0.0.

  • CVE-2022-31263May 24, 2022
    risk 0.00cvss epss 0.01

    app/models/user.rb in Mastodon before 3.5.0 allows a bypass of e-mail restrictions.

  • CVE-2022-24307Feb 3, 2022
    risk 0.00cvss epss 0.01

    Mastodon before 3.3.2 and 3.4.x before 3.4.6 has incorrect access control because it does not compact incoming signed JSON-LD activities. (JSON-LD signing has been supported since version 1.6.0.)

  • CVE-2022-0432Feb 2, 2022
    risk 0.00cvss epss 0.04

    Prototype Pollution in GitHub repository mastodon/mastodon prior to 3.5.0.

  • CVE-2018-21018Sep 22, 2019
    risk 0.00cvss epss 0.03

    Mastodon before 2.6.3 mishandles timeouts of incompletely established sessions.