279 matches found
CVE-2024-52591
Misskey is an open source, federated social media platform. In affected versions missing validation in ApRequestService.signedGet and HttpRequestService.getActivityJson allows an attacker to create fake user profiles and forged notes. The spoofed users will appear to be from a different instance...
CVE-2024-52579
Misskey is an open source, federated social media platform. Some APIs using HttpRequestService do not properly check the target host. This vulnerability allows an attacker to send POST or GET requests to the internal server, which may result in a SSRF attack.It allows an attacker to send POST or...
CVE-2024-52593
Misskey is an open source, federated social media platform.In affected versions missing validation in NoteCreateService.insertNote, ApPersonService.createPerson, and ApPersonService.updatePerson allows an attacker to control the target of any "origin" links such as the "view on remote instance"...
CVE-2024-52590
Misskey is an open source, federated social media platform. In affected versions missing validation in ApRequestService.signedGet allows an attacker to create fake user profiles that appear to be from a different instance than the one where they actually exist. These profiles can be used to...
CVE-2024-52592
Misskey is an open source, federated social media platform. In affected versions missing validation in ApInboxService.update allows an attacker to modify the result of polls belonging to another user. No authentication is required, except for a valid signature from any actor on any remote instanc...
CVE-2023-24811
Misskey is an open source, decentralized social media platform. In versions prior to 13.3.2 the URL preview function is subject to a cross site scripting vulnerability due to insufficient URL validation. Arbitrary JavaScript is executed when a malicious URL is loaded in the View in Player or View...
CVE-2023-49079
Misskey is an open source, decentralized social media platform. Misskey's missing signature validation allows arbitrary users to impersonate any remote user. This issue has been patched in version 2023.11.1-beta.1...
CVE-2023-24810
Misskey is an open source, decentralized social media platform. Due to insufficient validation of the redirect URL during miauth authentication in Misskey, arbitrary JavaScript can be executed when a user allows the link. All versions below 13.3.1 including 12.x are affected. This has been fixed ...
CVE-2023-52139
Misskey is an open source, decentralized social media platform. Third-party applications may be able to access some endpoints or Websocket APIs that are incorrectly specified as kind or secure without the user's permission and perform operations such as reading or adding non-public content. As a...
CVE-2023-25154
Misskey is an open source, decentralized social media platform. In versions prior to 13.5.0 the link to the instance to the sender that appears when viewing a user or note received through ActivityPub is not properly validated, so by inserting a URL with a javascript scheme an attacker may execut...
CVE-2023-24812
Misskey is an open source, decentralized social media platform. In versions prior to 13.3.3 SQL injection is possible due to insufficient parameter validation in the note search API by tag notes/search-by-tag. This has been fixed in version 13.3.3. Users are advised to upgrade. Users unable to...
CVE-2023-43805
Nexkey is a fork of Misskey, an open source, decentralized social media platform. Prior to version 12.121.9, incomplete URL validation can allow users to bypass authentication for access to the job queue dashboard. Version 12.121.9 contains a fix for this issue. As a workaround, it may be possibl...
CVE-2019-1020010
Misskey before 10.102.4 allows hijacking a user's token...
Redirect Filter Bypass
@misskey-dev/summaly is vulnerable to Redirect Filter Bypass. The vulnerability is due to a logic error in the summaly function that prevents the allowRedirects option from being passed, which allows an attacker to force the library to follow unintended redirects...
CVE-2025-46340
Misskey is an open source, federated social media platform. Starting in version 12.0.0 and prior to version 2025.4.1, due to an oversight in the validation performed in UrlPreviewService and MkUrlPreview, it is possible for an attacker to inject arbitrary CSS into the MkUrlPreview component...
CVE-2025-46559
Misskey is an open source, federated social media platform. Starting in version 12.31.0 and prior to version 2025.4.1, missing validation in Mk:api allows malicious AiScript code to access additional endpoints that it isn't designed to have access to. The missing validation allows malicious...
CVE-2025-46553
@misskey-dev/summaly is a tool for getting a summary of a web page. Starting in version 3.0.1 and prior to version 5.2.1, a logic error in the main summaly function causes the allowRedirects option to never be passed to any plugins, and as a result, isn't enforced. Misskey will follow redirects,...
CVE-2025-46559
Misskey is an open source, federated social media platform. Starting in version 12.31.0 and prior to version 2025.4.1, missing validation in Mk:api allows malicious AiScript code to access additional endpoints that it isn't designed to have access to. The missing validation allows malicious...
CVE-2025-46340
Misskey is an open source, federated social media platform. Starting in version 12.0.0 and prior to version 2025.4.1, due to an oversight in the validation performed in UrlPreviewService and MkUrlPreview, it is possible for an attacker to inject arbitrary CSS into the MkUrlPreview component...
CVE-2025-46559
CVE-2025-46559 is a Misskey directory traversal vulnerability. In Misskey versions 12.31.0 through 2025.4.0, missing validation in Mk:api lets AiScript prefix a URL with ".." to escape the /api path, enabling requests to endpoints such as /files, /url, and /proxy. The issue is fixed in version 20...