cbcvebase.
CVE-2026-33869
published 2026-03-27

CVE-2026-33869: Mastodon is a free, open-source social network server based on ActivityPub. In versions on the 4.5.x branch prior to 4.5.8 and on the 4.4.x branch prior to…

PriorityP425medium4.8CVSS 3.1
AVNACHPRNUINSUCNILAL
EPSS
0.17%
6.2th percentile
Mastodon is a free, open-source social network server based on ActivityPub. In versions on the 4.5.x branch prior to 4.5.8 and on the 4.4.x branch prior to 4.4.15, an attacker that knows of a quote before it has reached a server can prevent it from being correctly processed on that server. The vulnerability has been patched in Mastodon 4.5.8 and 4.4.15. Mastodon 4.3 and earlier are not affected because they do not support quotes.

Affected

4 ranges
VendorProductVersion rangeFixed in
joinmastodonmastodon>= 4.4.0 < 4.4.154.4.15
joinmastodonmastodon>= 4.5.0 < 4.5.84.5.8
mastodonmastodon
mastodonmastodon
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.