Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

misskey-dev — Vulnerabilities & Security Advisories 28

Browse all 28 CVE security advisories affecting misskey-dev. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Misskey-dev is the primary development entity behind Misskey, a widely adopted open-source federated microblogging platform. The software facilitates decentralized social networking, allowing users to post content, follow others, and interact across independent instances within the Fediverse. Historically, security audits have identified twenty-eight Common Vulnerabilities and Exposures (CVEs) associated with the codebase. These flaws predominantly involve cross-site scripting (XSS), remote code execution (RCE), and privilege escalation vulnerabilities, often stemming from insufficient input validation or improper access control mechanisms in server-side components. While no catastrophic data breaches have been publicly confirmed as direct results of these specific CVEs, the recurring nature of these issues highlights challenges in maintaining secure code practices within a rapidly evolving open-source project. Continuous patching and community-driven security reviews remain essential for mitigating these risks and ensuring the integrity of the federated network infrastructure.

Top products by misskey-dev: misskey summaly
CVE IDTitleCVSSSeverityPublished
CVE-2026-28433 Misskey lacks resource ownership validation — misskeyCWE-639 7.1AIHighAI2026-03-09
CVE-2026-28432 HTTP signature verification can be bypassed — misskeyCWE-347 7.5AIHighAI2026-03-09
CVE-2026-28431 Misskey lacks proper authorization checks and input validation — misskeyCWE-285 5.9AIMediumAI2026-03-09
CVE-2025-66482 Misskey has a login rate limit bypass via spoofed X-Forwarded-For header — misskeyCWE-307 5.3AIMediumAI2025-12-15
CVE-2025-66402 misskey.js's export data contains private post data — misskeyCWE-862 5.3AIMediumAI2025-12-15
CVE-2025-46559 Misskey Directory Traversal Vulnerability in AiScript via `Mk:api` — misskeyCWE-22 5.4 Medium2025-05-05
CVE-2025-46340 Misskey CSS Style Injection Vulnerability In `MkUrlPreview` — misskeyCWE-20 7.2 High2025-05-05
CVE-2025-46553 @misskey-dev/summaly Redirect Filter Bypass — summalyCWE-693 6.1AIMediumAI2025-05-05
CVE-2025-25306 Misskey's Incomplete Patch of CVE-2024-52591 Leads to Forgery of Federated Notes — misskeyCWE-346 9.3 Critical2025-03-10
CVE-2025-24897 Misskey CSRF vulnerability due to insecure configuration of authentication cookie attributes — misskeyCWE-352 8.2 High2025-02-11
CVE-2025-24896 Misskey allows token to remain valid in cookie after signing out — misskeyCWE-613 8.1 High2025-02-11
CVE-2024-49363 Uncontrolled Recursion and Asymmetric Resource Consumption (Amplification) in media/file proxy in Misskey — misskeyCWE-405 7.4 High2024-12-18
CVE-2024-52579 Server-Side Request Forgery vulnerability in various APIs in Misskey — misskeyCWE-918 6.4 Medium2024-12-18
CVE-2024-52590 Missing validation allows spoofed profiles in Misskey — misskeyCWE-20 8.8 -2024-12-18
CVE-2024-52591 Missing validation allows spoofed profiles and notes in Misskey — misskeyCWE-20 8.1 -2024-12-18
CVE-2024-52592 Missing validation allows spoofed poll updates in Misskey — misskeyCWE-20 5.3 -2024-12-18
CVE-2024-52593 Missing validation allows spoofed "origin" links in Misskey — misskeyCWE-20 5.4 -2024-12-18
CVE-2024-32983 Misskey allows the impersonation and takeover of remote accounts with unnormalized signed activities — misskeyCWE-863 8.2 High2024-06-03
CVE-2024-25636 Lack of media type verification of Activity Streams objects allows impersonation and takeover of remote accounts — misskeyCWE-434 7.1 High2024-02-19
CVE-2023-52139 Misskey vulnerable to improper authorization when accessing with third-party application — misskeyCWE-285 9.1 Critical2023-12-29
CVE-2023-49079 Misskey's missing signature validation allows arbitrary users to impersonate any remote user. — misskeyCWE-347 9.3 Critical2023-11-29
CVE-2023-43793 Misskey allows users to bypass authentication of Bull dashboard — misskeyCWE-287 7.5 High2023-10-04
CVE-2023-24810 Cross site scripting (XSS) vulnerability using authentication callback in Misskey — misskeyCWE-79 7.1 High2023-02-22
CVE-2023-24811 Cross site scripting (XSS) vulnerability using url preview in Misskey — misskeyCWE-79 7.1 High2023-02-22
CVE-2023-24812 SQL injection of notes/search-by-tag — misskeyCWE-89 8.8 High2023-02-22
CVE-2023-25154 Cross site scripting (XSS) of ActivityPub URI in misskey — misskeyCWE-79 7.1 High2023-02-22
CVE-2021-39195 Server-Side Request Forgery vulnerability in misskey — misskeyCWE-918 7.7 High2021-09-07
CVE-2021-39169 XSS vulnerability using dialog — misskeyCWE-79 8.0 High2021-08-27

This page lists every published CVE security advisory associated with misskey-dev. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.