Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Misskey — Vulnerabilities & Security Advisories 28

All 28 CVE vulnerabilities found in Misskey, with AI-generated Chinese analysis, references, and POCs.

Vendor: Misskey

CVE IDTitleCVSSSeverityPublished
CVE-2026-28433 Misskey lacks resource ownership validation CWE-639 7.1AIHighAI2026-03-09
CVE-2026-28432 HTTP signature verification can be bypassed CWE-347 7.5AIHighAI2026-03-09
CVE-2026-28431 Misskey lacks proper authorization checks and input validation CWE-285 5.9AIMediumAI2026-03-09
CVE-2025-66482 Misskey has a login rate limit bypass via spoofed X-Forwarded-For header CWE-307 5.3AIMediumAI2025-12-15
CVE-2025-66402 misskey.js's export data contains private post data CWE-862 5.3AIMediumAI2025-12-15
CVE-2025-46559 Misskey Directory Traversal Vulnerability in AiScript via `Mk:api` CWE-22 5.4 Medium2025-05-05
CVE-2025-46340 Misskey CSS Style Injection Vulnerability In `MkUrlPreview` CWE-20 7.2 High2025-05-05
CVE-2025-25306 Misskey's Incomplete Patch of CVE-2024-52591 Leads to Forgery of Federated Notes CWE-346 9.3 Critical2025-03-10
CVE-2025-24897 Misskey CSRF vulnerability due to insecure configuration of authentication cookie attributes CWE-352 8.2 High2025-02-11
CVE-2025-24896 Misskey allows token to remain valid in cookie after signing out CWE-613 8.1 High2025-02-11
CVE-2024-49363 Uncontrolled Recursion and Asymmetric Resource Consumption (Amplification) in media/file proxy in Misskey CWE-405 7.4 High2024-12-18
CVE-2024-52579 Server-Side Request Forgery vulnerability in various APIs in Misskey CWE-918 6.4 Medium2024-12-18
CVE-2024-52590 Missing validation allows spoofed profiles in Misskey CWE-20 8.8 -2024-12-18
CVE-2024-52591 Missing validation allows spoofed profiles and notes in Misskey CWE-20 8.1 -2024-12-18
CVE-2024-52592 Missing validation allows spoofed poll updates in Misskey CWE-20 5.3 -2024-12-18
CVE-2024-52593 Missing validation allows spoofed "origin" links in Misskey CWE-20 5.4 -2024-12-18
CVE-2024-32983 Misskey allows the impersonation and takeover of remote accounts with unnormalized signed activities CWE-863 8.2 High2024-06-03
CVE-2024-25636 Lack of media type verification of Activity Streams objects allows impersonation and takeover of remote accounts CWE-434 7.1 High2024-02-19
CVE-2023-52139 Misskey vulnerable to improper authorization when accessing with third-party application CWE-285 9.1 Critical2023-12-29
CVE-2023-49079 Misskey's missing signature validation allows arbitrary users to impersonate any remote user. CWE-347 9.3 Critical2023-11-29
CVE-2023-43793 Misskey allows users to bypass authentication of Bull dashboard CWE-287 7.5 High2023-10-04
CVE-2023-24810 Cross site scripting (XSS) vulnerability using authentication callback in Misskey CWE-79 7.1 High2023-02-22
CVE-2023-24811 Cross site scripting (XSS) vulnerability using url preview in Misskey CWE-79 7.1 High2023-02-22
CVE-2023-24812 SQL injection of notes/search-by-tag CWE-89 8.8 High2023-02-22
CVE-2023-25154 Cross site scripting (XSS) of ActivityPub URI in misskey CWE-79 7.1 High2023-02-22
CVE-2021-39195 Server-Side Request Forgery vulnerability in misskey CWE-918 7.7 High2021-09-07
CVE-2021-39169 XSS vulnerability using dialog CWE-79 8.0 High2021-08-27
CVE-2019-1020010 Misskey 跨站脚本漏洞 8.2 -2019-07-29

All 28 known CVE vulnerabilities affecting Misskey with full Chinese analysis, references, and POCs where available.