VYPR
Vendor

Misskey Dev

Products
1
CVEs
28
Across products
28
Status
Private

Products

1

Recent CVEs

28
View all 28 CVEs →
  • CVE-2024-49363HigDec 18, 2024
    risk 0.48cvss 7.4epss 0.00

    Misskey is an open source, federated social media platform. In affected versions FileServerService (media proxy) in github.com/misskey-dev/misskey 2024.10.1 or earlier did not detect proxy loops, which allows remote actors to execute a self-propagating reflected/amplified…

  • CVE-2026-28433Mar 9, 2026
    risk 0.00cvss epss 0.00

    Misskey is an open source, federated social media platform. All Misskey servers running versions 10.93.0 and later, but prior to 2026.3.1, contain a vulnerability that allows importing other users' data due to lack of ownership validation. The impact of this vulnerability is…

  • CVE-2026-28432Mar 9, 2026
    risk 0.00cvss epss 0.00

    Misskey is an open source, federated social media platform. All Misskey servers prior to 2026.3.1 contain a vulnerability that allows bypassing HTTP signature verification. Although this is a vulnerability related to federation, it affects all servers regardless of whether…

  • CVE-2026-28431Mar 9, 2026
    risk 0.00cvss epss 0.00

    Misskey is an open source, federated social media platform. All Misskey servers running versions 8.45.0 and later, but prior to 2026.3.1, contain a vulnerability that allows bad actors access to data that they ordinarily wouldn't be able to access due to insufficient permission…

  • CVE-2025-66482Dec 15, 2025
    risk 0.00cvss epss 0.00

    Misskey is an open source, federated social media platform. Attackers who use an untrusted reverse proxy or not using a reverse proxy at all can bypass IP rate limiting by adding a forged X-Forwarded-For header. Starting with version 2025.9.1, an option (`trustProxy`) has been…

  • CVE-2025-66402Dec 15, 2025
    risk 0.00cvss epss 0.00

    Misskey is an open source, federated social media platform. Starting in version 13.0.0-beta.16 and prior to version 2025.12.0, an actor who does not have permission to view favorites or clips can can export the posts and view the contents. Version 2025.12.0 fixes the issue.

  • CVE-2025-46559May 5, 2025
    risk 0.00cvss epss 0.00

    Misskey is an open source, federated social media platform. Starting in version 12.31.0 and prior to version 2025.4.1, missing validation in `Mk:api` allows malicious AiScript code to access additional endpoints that it isn't designed to have access to. The missing validation…

  • CVE-2025-46340May 5, 2025
    risk 0.00cvss epss 0.00

    Misskey is an open source, federated social media platform. Starting in version 12.0.0 and prior to version 2025.4.1, due to an oversight in the validation performed in `UrlPreviewService` and `MkUrlPreview`, it is possible for an attacker to inject arbitrary CSS into the…

  • CVE-2025-25306Mar 10, 2025
    risk 0.00cvss epss 0.00

    Misskey is an open source, federated social media platform. The patch for CVE-2024-52591 did not sufficiently validate the relation between the `id` and `url` fields of ActivityPub objects. An attacker can forge an object where they claim authority in the `url` field even if the…

  • CVE-2025-24897Feb 11, 2025
    risk 0.00cvss epss 0.00

    Misskey is an open source, federated social media platform. Starting in version 12.109.0 and prior to version 2025.2.0-alpha.0, due to a lack of CSRF protection and the lack of proper security attributes in the authentication cookies of Bull's dashboard, some of the APIs of…

  • CVE-2025-24896Feb 11, 2025
    risk 0.00cvss epss 0.01

    Misskey is an open source, federated social media platform. Starting in version 12.109.0 and prior to version 2025.2.0-alpha.0, a login token named `token` is stored in a cookie for authentication purposes in Bull Dashboard, but this remains undeleted even after logout is…

  • CVE-2024-52579Dec 18, 2024
    risk 0.00cvss epss 0.00

    Misskey is an open source, federated social media platform. Some APIs using `HttpRequestService` do not properly check the target host. This vulnerability allows an attacker to send POST or GET requests to the internal server, which may result in a SSRF attack.It allows an…

  • CVE-2024-52590Dec 18, 2024
    risk 0.00cvss epss 0.00

    Misskey is an open source, federated social media platform. In affected versions missing validation in `ApRequestService.signedGet` allows an attacker to create fake user profiles that appear to be from a different instance than the one where they actually exist. These profiles…

  • CVE-2024-52591Dec 18, 2024
    risk 0.00cvss epss 0.00

    Misskey is an open source, federated social media platform. In affected versions missing validation in `ApRequestService.signedGet` and `HttpRequestService.getActivityJson` allows an attacker to create fake user profiles and forged notes. The spoofed users will appear to be from…

  • CVE-2024-52592Dec 18, 2024
    risk 0.00cvss epss 0.00

    Misskey is an open source, federated social media platform. In affected versions missing validation in `ApInboxService.update` allows an attacker to modify the result of polls belonging to another user. No authentication is required, except for a valid signature from any actor…

  • CVE-2024-52593Dec 18, 2024
    risk 0.00cvss epss 0.00

    Misskey is an open source, federated social media platform.In affected versions missing validation in `NoteCreateService.insertNote`, `ApPersonService.createPerson`, and `ApPersonService.updatePerson` allows an attacker to control the target of any "origin" links (such as the…

  • CVE-2024-32983Jun 3, 2024
    risk 0.00cvss epss 0.00

    Misskey is an open source, decentralized microblogging platform. Misskey doesn't perform proper normalization on the JSON structures of incoming signed ActivityPub activity objects before processing them, allowing threat actors to spoof the contents of signed activities and…

  • CVE-2024-25636Feb 19, 2024
    risk 0.00cvss epss 0.01

    Misskey is an open source, decentralized social media platform with ActivityPub support. Prior to version 2024.2.0, when fetching remote Activity Streams objects, Misskey doesn't check that the response from the remote server has a `Content-Type` header value of the Activity…

  • CVE-2023-52139Dec 29, 2023
    risk 0.00cvss epss 0.01

    Misskey is an open source, decentralized social media platform. Third-party applications may be able to access some endpoints or Websocket APIs that are incorrectly specified as [kind](https://github.com/misskey-dev/misskey/blob/406b4bdbe79b5b0b68fcdcb3c4b6e419460a0258/packages/b…

  • CVE-2023-49079Nov 29, 2023
    risk 0.00cvss epss 0.00

    Misskey is an open source, decentralized social media platform. Misskey's missing signature validation allows arbitrary users to impersonate any remote user. This issue has been patched in version 2023.11.1-beta.1.