cbcvebase.
CVE-2026-33868
published 2026-03-27

CVE-2026-33868: Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.8, 4.4.15, and 4.3.21, an unauthenticated Open Redirect…

PriorityP343medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
0.52%
39.9th percentile
Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.8, 4.4.15, and 4.3.21, an unauthenticated Open Redirect vulnerability (CWE-601) exists in the `/web/*` route due to improper handling of URL-encoded path segments. An attacker can craft a specially encoded URL that causes the application to redirect users to an arbitrary external domain, enabling phishing attacks and potential OAuth credential theft. The issue occurs because URL-encoded slashes (`%2F`) bypass Rails path normalization and are interpreted as host-relative redirects. Versions 4.5.8, 4.4.15, and 4.3.21 patch the issue.

Affected

6 ranges
VendorProductVersion rangeFixed in
joinmastodonmastodon< 4.3.214.3.21
joinmastodonmastodon>= 4.4.0 < 4.4.154.4.15
joinmastodonmastodon>= 4.5.0 < 4.5.84.5.8
mastodonmastodon< 4.3.214.3.21
mastodonmastodon
mastodonmastodon
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.