Joinmastodon Mastodon vulnerabilities
42 known vulnerabilities affecting joinmastodon/mastodon.
Total CVEs
42
CISA KEV
0
Public exploits
2
Exploited in wild
0
Severity breakdown
CRITICAL5HIGH13MEDIUM22LOW2
Vulnerabilities
Page 2 of 3
CVE-2026-25540P3MEDIUMCVSS 6.5fixed in 4.3.19≥ 4.4.0, < 4.4.13+1 more2026-02-04
CVE-2026-25540 [MEDIUM] CWE-524 CVE-2026-25540: Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.3.19
Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.3.19, 4.4.13, 4.5.6, Mastodon is vulnerable to web cache poisoning via `Rails.cache. When AUTHORIZED_FETCH is enabled, the ActivityPub endpoints for pinned posts and featured hashtags have contents that depend on the account that signed the HTTP request.
nvd
CVE-2026-23963P3MEDIUMCVSS 6.5fixed in 4.3.18≥ 4.4.0, < 4.4.12+1 more2026-01-22
CVE-2026-23963 [MEDIUM] CWE-770 CVE-2026-23963: Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.5,
Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.5, 4.4.12, and 4.3.18, the server does not enforce a maximum length for the names of lists or filters, or for filter keywords, allowing any user to set an arbitrarily long string as the name or keyword. Any local user can abuse the list or filter fields
nvd
CVE-2026-27477P3MEDIUMCVSS 5.9≥ 4.4.0, < 4.4.14≥ 4.5.0, < 4.5.72026-02-24
CVE-2026-27477 [MEDIUM] CWE-918 CVE-2026-27477: Mastodon is a free, open-source social network server based on ActivityPub. FASP registration requir
Mastodon is a free, open-source social network server based on ActivityPub. FASP registration requires manual approval by an administrator. In versions 4.4.0 through 4.4.13 and 4.5.0 through 4.5.6, an unauthenticated attacker can register a FASP with an attacker-chosen `base_url` that includes or resolves to a local / internal address, leading to th
nvd
CVE-2024-34535P4MEDIUMCVSS 5.9≤ 4.1.16≥ 4.2.0, ≤ 4.2.82024-10-03
CVE-2024-34535 [MEDIUM] CWE-444 CVE-2024-34535: In Mastodon 4.1.6, API endpoint rate limiting can be bypassed by setting a crafted HTTP request head
In Mastodon 4.1.6, API endpoint rate limiting can be bypassed by setting a crafted HTTP request header.
nvd
CVE-2022-46405P4HIGHCVSS 7.5≤ 4.0.22022-12-04
CVE-2022-46405 [HIGH] CWE-674 CVE-2022-46405: Mastodon through 4.0.2 allows attackers to cause a denial of service (large Sidekiq pull queue) by c
Mastodon through 4.0.2 allows attackers to cause a denial of service (large Sidekiq pull queue) by creating bot accounts that follow attacker-controlled accounts on certain other servers associated with a wildcard DNS A record, such that there is uncontrolled recursion of attacker-generated messages.
nvd
CVE-2026-23961P4MEDIUMCVSS 5.3fixed in 4.3.18≥ 4.4.0, < 4.4.12+1 more2026-01-22
CVE-2026-23961 [MEDIUM] CWE-863 CVE-2026-23961: Mastodon is a free, open-source social network server based on ActivityPub. Mastodon allows server a
Mastodon is a free, open-source social network server based on ActivityPub. Mastodon allows server administrators to suspend remote users to prevent interactions. However, some logic errors allow already-known posts from such suspended users to appear in timelines if boosted. Furthermore, under certain circumstances, previously-unknown posts from su
nvd
CVE-2026-23964P4MEDIUMCVSS 5.4fixed in 4.3.18≥ 4.4.0, < 4.4.12+1 more2026-01-22
CVE-2026-23964 [MEDIUM] CWE-863 CVE-2026-23964: Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.5,
Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.5, 4.4.12, and 4.3.18, an insecure direct object reference in the web push subscription update endpoint lets any authenticated user update another user's push subscription by guessing or obtaining the numeric subscription id. This can be used to disrupt
nvd
CVE-2025-27157P4MEDIUMCVSS 5.3≥ 4.2.0, < 4.2.16≥ 4.3.0, < 4.3.42025-02-27
CVE-2025-27157 [MEDIUM] CWE-770 CVE-2025-27157: Mastodon is a self-hosted, federated microblogging platform. Starting in version 4.2.0 and prior to
Mastodon is a self-hosted, federated microblogging platform. Starting in version 4.2.0 and prior to versions 4.2.16 and 4.3.4, the rate limits are missing on `/auth/setup`. Without those rate limits, an attacker can craft requests that will send an email to an arbitrary addresses. Versions 4.2.16 and 4.3.4 fix the issue.
nvd
CVE-2023-36462P4MEDIUMCVSS 5.4≥ 2.6.0, < 3.5.9≥ 4.0.0, < 4.0.5+1 more2023-07-06
CVE-2023-36462 [MEDIUM] CWE-20 CVE-2023-36462: Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 2.6.
Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 2.6.0 and prior to versions 3.5.9, 4.0.5, and 4.1.3, an attacker can craft a verified profile link using specific formatting to conceal arbitrary parts of the link, enabling it to appear to link to a different URL altogether. The link is visually misleadin
nvd
CVE-2023-36459P4MEDIUMCVSS 6.1≥ 1.3, < 3.5.9≥ 4.0.0, < 4.0.5+1 more2023-07-06
CVE-2023-36459 [MEDIUM] CWE-79 CVE-2023-36459: Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 1.3
Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 1.3 and prior to versions 3.5.9, 4.0.5, and 4.1.3, an attacker using carefully crafted oEmbed data can bypass the HTML sanitization performed by Mastodon and include arbitrary HTML in oEmbed preview cards. This introduces a vector for cross-site scripting (
nvd
CVE-2023-42452P4MEDIUMCVSS 5.4≥ 4.0.0, < 4.0.10≥ 4.1.0, < 4.1.8+1 more2023-09-19
CVE-2023-42452 [MEDIUM] CWE-79 CVE-2023-42452: Mastodon is a free, open-source social network server based on ActivityPub. In versions on the 4.x b
Mastodon is a free, open-source social network server based on ActivityPub. In versions on the 4.x branch prior to versions 4.0.10, 4.2.8, and 4.2.0-rc2, under certain conditions, attackers can abuse the translation feature to bypass the server-side HTML sanitization, allowing unescaped HTML to execute in the browser. The impact is limited thanks to
nvd
CVE-2025-27399P4MEDIUMCVSS 5.3fixed in 4.1.23≥ 4.2.0, < 4.2.16+1 more2025-02-27
CVE-2025-27399 [MEDIUM] CWE-200 CVE-2025-27399: Mastodon is a self-hosted, federated microblogging platform. In versions prior to 4.1.23, 4.2.16, an
Mastodon is a self-hosted, federated microblogging platform. In versions prior to 4.1.23, 4.2.16, and 4.3.4, when the visibility for domain blocks/reasons is set to "users" (localized English string: "To logged-in users"), users that are not yet approved can view the block reasons. Instance admins that do not want their domain blocks to be public ar
nvd
CVE-2022-31263P4MEDIUMCVSS 5.3fixed in 3.5.02022-05-24
CVE-2022-31263 [MEDIUM] CVE-2022-31263: app/models/user.rb in Mastodon before 3.5.0 allows a bypass of e-mail restrictions.
app/models/user.rb in Mastodon before 3.5.0 allows a bypass of e-mail restrictions.
nvd
CVE-2026-33869P4MEDIUMCVSS 4.8≥ 4.4.0, < 4.4.15≥ 4.5.0, < 4.5.82026-03-27
CVE-2026-33869 [MEDIUM] CWE-863 CVE-2026-33869: Mastodon is a free, open-source social network server based on ActivityPub. In versions on the 4.5.x
Mastodon is a free, open-source social network server based on ActivityPub. In versions on the 4.5.x branch prior to 4.5.8 and on the 4.4.x branch prior to 4.4.15, an attacker that knows of a quote before it has reached a server can prevent it from being correctly processed on that server. The vulnerability has been patched in Mastodon 4.5.8 and 4.4
nvd
CVE-2025-62605P4MEDIUMCVSS 4.3≥ 4.4.0, < 4.4.8v4.5.02025-10-21
CVE-2025-62605 [MEDIUM] CWE-754 CVE-2025-62605: Mastodon is a free, open-source social network server based on ActivityPub. In Mastodon version 4.4,
Mastodon is a free, open-source social network server based on ActivityPub. In Mastodon version 4.4, support for verifiable quote posts with quote controls was added, but it is possible for an attacker to bypass these controls in Mastodon versions prior to 4.4.8 and 4.5.0-beta.2. Mastodon internally treats reblogs as statuses. Since they were not sp
nvd
CVE-2025-62176P4MEDIUMCVSS 4.3fixed in 4.2.27≥ 4.3.0, < 4.3.14+1 more2025-10-13
CVE-2025-62176 [MEDIUM] CWE-280 CVE-2025-62176: Mastodon is a free, open-source social network server based on ActivityPub. In Mastodon before 4.4.6
Mastodon is a free, open-source social network server based on ActivityPub. In Mastodon before 4.4.6, 4.3.14, and 4.2.27, the streaming server accepts serving events for public timelines to clients using any valid authentication token, even if those tokens lack the read:statuses scope. This allows OAuth clients without the read scope to subscribe to
nvd
CVE-2025-62175P4MEDIUMCVSS 4.3fixed in 4.2.27≥ 4.3.0, < 4.3.14+1 more2025-10-13
CVE-2025-62175 [MEDIUM] CWE-273 CVE-2025-62175: Mastodon is a free, open-source social network server based on ActivityPub. In versions before 4.4.6
Mastodon is a free, open-source social network server based on ActivityPub. In versions before 4.4.6, 4.3.14, and 4.2.27, disabling or suspending a user account does not disconnect the account from the streaming API. This allows disabled or suspended accounts to continue receiving real-time updates through existing streaming connections and to estab
nvd
CVE-2026-22246P4MEDIUMCVSS 4.3fixed in 4.3.17≥ 4.4.0, < 4.4.11+1 more2026-01-08
CVE-2026-22246 [MEDIUM] CWE-201 CVE-2026-22246: Mastodon is a free, open-source social network server based on ActivityPub. Mastodon 4.3 added notif
Mastodon is a free, open-source social network server based on ActivityPub. Mastodon 4.3 added notifications of severed relationships, allowing end-users to inspect the relationships they lost as the result of a moderation action. The code allowing users to download lists of severed relationships for a particular event fails to check the owner of th
nvd
CVE-2024-25619P4MEDIUMCVSS 4.3fixed in 3.5.18≥ 4.0.0, < 4.0.14+2 more2024-02-14
CVE-2024-25619 [MEDIUM] CWE-613 CVE-2024-25619: Mastodon is a free, open-source social network server based on ActivityPub. When an OAuth Applicatio
Mastodon is a free, open-source social network server based on ActivityPub. When an OAuth Application is destroyed, the streaming server wasn't being informed that the Access Tokens had also been destroyed, this could have posed security risks to users by allowing an application to continue listening to streaming after the application had been destr
nvd
CVE-2022-48364P4MEDIUMCVSS 4.3≥ 3.5.0, < 3.5.32023-03-06
CVE-2022-48364 [MEDIUM] CWE-287 CVE-2022-48364: The undo_mark_statuses_as_sensitive method in app/services/approve_appeal_service.rb in Mastodon 3.5
The undo_mark_statuses_as_sensitive method in app/services/approve_appeal_service.rb in Mastodon 3.5.x before 3.5.3 does not use the server's representative account, resulting in moderator identity disclosure when a moderator approves the appeal of a user whose status update was marked as sensitive.
nvd