CVE-2026-27468

Mastodon is a free, open-source social network server based on ActivityPub. FASP registration requires manual approval by an administrator. In versions 4.4.0 through 4.4.13 and 4.5.0 through 4.5.6, actions performed by a FASP to subscribe to account/content lifecycle events or to backfill content...

CVE-2026-23964

Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.5, 4.4.12, and 4.3.18, an insecure direct object reference in the web push subscription update endpoint lets any authenticated user update another user's push subscription by guessing or obtaining th...

CVE-2026-23961

Mastodon is a free, open-source social network server based on ActivityPub. Mastodon allows server administrators to suspend remote users to prevent interactions. However, some logic errors allow already-known posts from such suspended users to appear in timelines if boosted. Furthermore, under...

BIT-MASTODON-2025-54879 Mastodon e‑mail throttle misconfiguration allows unlimited email confirmations against unconfirmed emails

Mastodon is a free, open-source social network server based on ActivityPub Mastodon which facilitates LDAP configuration for authentication. In versions 3.1.5 through 4.2.24, 4.3.0 through 4.3.11 and 4.4.0 through 4.4.3, Mastodon's rate-limiting system has a critical configuration error where the...

"TootRoot" Mastodon vulnerabilities fixed: Admins, patch now!

One of Twitters big rivals, Mastodon, recently finished fixing four issues which in the worst case allowed for the creation of files on the instances server. Mastodon, whose main selling point is lots of separate communities living on different servers yet still able to communicate, was notified ...