CVE-2026-33869
published 2026-03-27CVE-2026-33869: Mastodon is a free, open-source social network server based on ActivityPub. In versions on the 4.5.x branch prior to 4.5.8 and on the 4.4.x branch prior to…
PriorityP425medium4.8CVSS 3.1
AVNACHPRNUINSUCNILAL
EPSS
0.17%
6.2th percentile
Mastodon is a free, open-source social network server based on ActivityPub. In versions on the 4.5.x branch prior to 4.5.8 and on the 4.4.x branch prior to 4.4.15, an attacker that knows of a quote before it has reached a server can prevent it from being correctly processed on that server. The vulnerability has been patched in Mastodon 4.5.8 and 4.4.15. Mastodon 4.3 and earlier are not affected because they do not support quotes.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| joinmastodon | mastodon | >= 4.4.0 < 4.4.15 | 4.4.15 |
| joinmastodon | mastodon | >= 4.5.0 < 4.5.8 | 4.5.8 |
| mastodon | mastodon | — | — |
| mastodon | mastodon | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
No detection rules found.
No public exploits indexed.
2026-03-27
Published