Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

mastodon — Vulnerabilities & Security Advisories 35

Browse all 35 CVE security advisories affecting mastodon. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Mastodon is an open-source, self-hosted microblogging platform designed to decentralize social networking through the ActivityPub protocol. Its architecture allows users to operate independent instances that interoperate within a federated network, prioritizing user control over centralized corporate data silos. Historically, security audits have identified approximately 35 Common Vulnerabilities and Exposures (CVEs) within the codebase. These flaws predominantly involve server-side request forgery, cross-site scripting, and improper access control mechanisms, often stemming from complex interactions between the Ruby on Rails backend and the PostgreSQL database. While no catastrophic data breaches have defined its history, the platform’s decentralized nature means security incidents are typically isolated to specific instances rather than affecting the entire network. Recent patches have focused on hardening authentication flows and mitigating injection vulnerabilities, reflecting the ongoing challenges of maintaining security in a distributed, community-driven software ecosystem.

Top products by mastodon: mastodon mastodon/mastodon
CVE IDTitleCVSSSeverityPublished
CVE-2026-41259 Mastodon: Insufficient verification of email addresses — mastodonCWE-841 4.3AIMediumAI2026-04-23
CVE-2026-33869 Mastodon has a denial of service for quote authorization — mastodonCWE-863 4.8 Medium2026-03-27
CVE-2026-33868 Mastodon has a GET-Based Open Redirect via '/web/%2F<domain>' — mastodonCWE-601 4.3 Medium2026-03-27
CVE-2026-27477 Mastodon has SSRF via unvalidated FASP Provider base_url — mastodonCWE-918 6.5 -2026-02-24
CVE-2026-27468 Mastodon may allow unconfirmed FASP to make subscriptions — mastodonCWE-862 6.7 -2026-02-24
CVE-2026-25540 Mastodon's signature-dependent ActivityPub collection responses cached under signature-independent keys (Web Cache Poisoning via `Rails.cache`) — mastodonCWE-524 6.5 Medium2026-02-04
CVE-2026-23964 Mastodon has insufficient access control to push notification settings — mastodonCWE-863 6.5 Medium2026-01-22
CVE-2026-23963 Mastodon missing length limits on list names, filter names, and filter keywords — mastodonCWE-770 4.3 Medium2026-01-22
CVE-2026-23962 Mastodon vulnerable to Denial of Service from a single post (client/server) — mastodonCWE-770 7.5 High2026-01-22
CVE-2026-23961 Mastodon may allow a remote suspension bypass — mastodonCWE-863 5.3 Medium2026-01-22
CVE-2026-22246 Local Mastodon users can enumerate and access severed relationships of every other local user — mastodonCWE-201 6.5 Medium2026-01-08
CVE-2026-22245 Mastodon has SSRF Protection bypass — mastodonCWE-918 9.4 -2026-01-08
CVE-2025-67500 Mastodon Error Handling Discrepancy Enables Private Status Existence Enumeration — mastodonCWE-204 3.7 Low2025-12-09
CVE-2025-62605 Mastodon quotes control can be bypassed — mastodonCWE-754 4.3 Medium2025-10-21
CVE-2025-62176 Mastadon streaming server allows OAuth clients without the `read` scope to subscribe to public channels — mastodonCWE-280 4.3 Medium2025-10-13
CVE-2025-62175 Mastodon streaming API fails to disconnect disabled and suspended users — mastodonCWE-273 4.3 Medium2025-10-13
CVE-2025-62174 Mastodon allows continued access after password reset via CLI — mastodonCWE-613 3.5 Low2025-10-13
CVE-2025-54879 Mastodon e‑mail throttle misconfiguration allows unlimited email confirmations against unconfirmed emails — mastodonCWE-770 5.3 Medium2025-08-05
CVE-2025-27399 Mastodon's domain blocks & rationales ignore user approval when visibility set as "users" — mastodonCWE-200 5.3 Medium2025-02-27
CVE-2025-27157 Mastodon's rate-limits are missing on `/auth/setup` — mastodonCWE-770 5.3 Medium2025-02-27
CVE-2024-37903 Mastodon has improper authorship check on audience extension for existing posts — mastodonCWE-862 8.2 High2024-07-05
CVE-2024-25623 Lack of media type verification of Activity Streams objects allows impersonation of remote accounts — mastodonCWE-434 8.5 High2024-02-19
CVE-2024-25619 Destroying OAuth Applications doesn't notify Streaming of Access Tokens being destroyed in mastodon — mastodonCWE-613 3.1 Low2024-02-14
CVE-2024-25618 External OpenID Connect Account Takeover by E-Mail Change in mastodon — mastodonCWE-287 4.2 Medium2024-02-14
CVE-2024-23832 Mastodon Remote user impersonation and takeover — mastodonCWE-290 9.4 Critical2024-02-01
CVE-2023-42452 Mastodon vulnerable to Stored XSS through the translation feature — mastodonCWE-79 6.1 Medium2023-09-19
CVE-2023-42451 Mastodon Invalid Domain Name Normalization vulnerability — mastodonCWE-706 7.4 High2023-09-19
CVE-2023-42450 Mastodon Server-Side Request Forgery vulnerability — mastodonCWE-918 5.4 Medium2023-09-19
CVE-2023-36462 Mastodon's verified profile links can be formatted in a misleading way — mastodonCWE-20 5.4 Medium2023-07-06
CVE-2023-36461 Mastodon vulnerable to Denial of Service through slow HTTP responses — mastodonCWE-770 7.5 High2023-07-06

This page lists every published CVE security advisory associated with mastodon. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.