Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

mastodon — Vulnerabilities & Security Advisories 33

All 33 CVE vulnerabilities found in mastodon, with AI-generated Chinese analysis, references, and POCs.

Vendor: mastodon

CVE IDTitleCVSSSeverityPublished
CVE-2026-41259 Mastodon: Insufficient verification of email addresses CWE-841 4.3AIMediumAI2026-04-23
CVE-2026-33869 Mastodon has a denial of service for quote authorization CWE-863 4.8 Medium2026-03-27
CVE-2026-33868 Mastodon has a GET-Based Open Redirect via '/web/%2F<domain>' CWE-601 4.3 Medium2026-03-27
CVE-2026-27477 Mastodon has SSRF via unvalidated FASP Provider base_url CWE-918 6.5 -2026-02-24
CVE-2026-27468 Mastodon may allow unconfirmed FASP to make subscriptions CWE-862 6.7 -2026-02-24
CVE-2026-25540 Mastodon's signature-dependent ActivityPub collection responses cached under signature-independent keys (Web Cache Poisoning via `Rails.cache`) CWE-524 6.5 Medium2026-02-04
CVE-2026-23964 Mastodon has insufficient access control to push notification settings CWE-863 6.5 Medium2026-01-22
CVE-2026-23963 Mastodon missing length limits on list names, filter names, and filter keywords CWE-770 4.3 Medium2026-01-22
CVE-2026-23962 Mastodon vulnerable to Denial of Service from a single post (client/server) CWE-770 7.5 High2026-01-22
CVE-2026-23961 Mastodon may allow a remote suspension bypass CWE-863 5.3 Medium2026-01-22
CVE-2026-22246 Local Mastodon users can enumerate and access severed relationships of every other local user CWE-201 6.5 Medium2026-01-08
CVE-2026-22245 Mastodon has SSRF Protection bypass CWE-918 9.4 -2026-01-08
CVE-2025-67500 Mastodon Error Handling Discrepancy Enables Private Status Existence Enumeration CWE-204 3.7 Low2025-12-09
CVE-2025-62605 Mastodon quotes control can be bypassed CWE-754 4.3 Medium2025-10-21
CVE-2025-62176 Mastadon streaming server allows OAuth clients without the `read` scope to subscribe to public channels CWE-280 4.3 Medium2025-10-13
CVE-2025-62175 Mastodon streaming API fails to disconnect disabled and suspended users CWE-273 4.3 Medium2025-10-13
CVE-2025-62174 Mastodon allows continued access after password reset via CLI CWE-613 3.5 Low2025-10-13
CVE-2025-54879 Mastodon e‑mail throttle misconfiguration allows unlimited email confirmations against unconfirmed emails CWE-770 5.3 Medium2025-08-05
CVE-2025-27399 Mastodon's domain blocks & rationales ignore user approval when visibility set as "users" CWE-200 5.3 Medium2025-02-27
CVE-2025-27157 Mastodon's rate-limits are missing on `/auth/setup` CWE-770 5.3 Medium2025-02-27
CVE-2024-37903 Mastodon has improper authorship check on audience extension for existing posts CWE-862 8.2 High2024-07-05
CVE-2024-25623 Lack of media type verification of Activity Streams objects allows impersonation of remote accounts CWE-434 8.5 High2024-02-19
CVE-2024-25619 Destroying OAuth Applications doesn't notify Streaming of Access Tokens being destroyed in mastodon CWE-613 3.1 Low2024-02-14
CVE-2024-25618 External OpenID Connect Account Takeover by E-Mail Change in mastodon CWE-287 4.2 Medium2024-02-14
CVE-2024-23832 Mastodon Remote user impersonation and takeover CWE-290 9.4 Critical2024-02-01
CVE-2023-42452 Mastodon vulnerable to Stored XSS through the translation feature CWE-79 6.1 Medium2023-09-19
CVE-2023-42451 Mastodon Invalid Domain Name Normalization vulnerability CWE-706 7.4 High2023-09-19
CVE-2023-42450 Mastodon Server-Side Request Forgery vulnerability CWE-918 5.4 Medium2023-09-19
CVE-2023-36462 Mastodon's verified profile links can be formatted in a misleading way CWE-20 5.4 Medium2023-07-06
CVE-2023-36461 Mastodon vulnerable to Denial of Service through slow HTTP responses CWE-770 7.5 High2023-07-06

All 33 known CVE vulnerabilities affecting mastodon with full Chinese analysis, references, and POCs where available.