Lucene search
K

279 matches found

RedhatCVE
RedhatCVE
added 2025/05/23 10:42 a.m.9 views

CVE-2024-52591

Misskey is an open source, federated social media platform. In affected versions missing validation in ApRequestService.signedGet and HttpRequestService.getActivityJson allows an attacker to create fake user profiles and forged notes. The spoofed users will appear to be from a different instance...

8.8CVSS6.4AI score0.00321EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/23 10:35 a.m.8 views

CVE-2024-52579

Misskey is an open source, federated social media platform. Some APIs using HttpRequestService do not properly check the target host. This vulnerability allows an attacker to send POST or GET requests to the internal server, which may result in a SSRF attack.It allows an attacker to send POST or...

6.4CVSS6.8AI score0.00215EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/23 10:27 a.m.7 views

CVE-2024-52593

Misskey is an open source, federated social media platform.In affected versions missing validation in NoteCreateService.insertNote, ApPersonService.createPerson, and ApPersonService.updatePerson allows an attacker to control the target of any "origin" links such as the "view on remote instance"...

5.1CVSS6.9AI score0.00364EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/23 6:26 a.m.6 views

CVE-2024-52590

Misskey is an open source, federated social media platform. In affected versions missing validation in ApRequestService.signedGet allows an attacker to create fake user profiles that appear to be from a different instance than the one where they actually exist. These profiles can be used to...

8.8CVSS6.8AI score0.00341EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/23 6:26 a.m.10 views

CVE-2024-52592

Misskey is an open source, federated social media platform. In affected versions missing validation in ApInboxService.update allows an attacker to modify the result of polls belonging to another user. No authentication is required, except for a valid signature from any actor on any remote instanc...

6.9CVSS7AI score0.00298EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/23 4:55 a.m.8 views

CVE-2023-24811

Misskey is an open source, decentralized social media platform. In versions prior to 13.3.2 the URL preview function is subject to a cross site scripting vulnerability due to insufficient URL validation. Arbitrary JavaScript is executed when a malicious URL is loaded in the View in Player or View...

7.1CVSS6AI score0.00406EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/23 4:24 a.m.5 views

CVE-2023-49079

Misskey is an open source, decentralized social media platform. Misskey's missing signature validation allows arbitrary users to impersonate any remote user. This issue has been patched in version 2023.11.1-beta.1...

9.3CVSS7AI score0.004EPSS
Exploits0
RedhatCVE
RedhatCVE
added 2025/05/23 3:22 a.m.8 views

CVE-2023-24810

Misskey is an open source, decentralized social media platform. Due to insufficient validation of the redirect URL during miauth authentication in Misskey, arbitrary JavaScript can be executed when a user allows the link. All versions below 13.3.1 including 12.x are affected. This has been fixed ...

7.1CVSS7AI score0.00445EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/23 2:12 a.m.10 views

CVE-2023-52139

Misskey is an open source, decentralized social media platform. Third-party applications may be able to access some endpoints or Websocket APIs that are incorrectly specified as kind or secure without the user's permission and perform operations such as reading or adding non-public content. As a...

9.6CVSS6.3AI score0.00549EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/23 1:56 a.m.8 views

CVE-2023-25154

Misskey is an open source, decentralized social media platform. In versions prior to 13.5.0 the link to the instance to the sender that appears when viewing a user or note received through ActivityPub is not properly validated, so by inserting a URL with a javascript scheme an attacker may execut...

7.1CVSS7AI score0.00429EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/23 1:54 a.m.9 views

CVE-2023-24812

Misskey is an open source, decentralized social media platform. In versions prior to 13.3.3 SQL injection is possible due to insufficient parameter validation in the note search API by tag notes/search-by-tag. This has been fixed in version 13.3.3. Users are advised to upgrade. Users unable to...

9.8CVSS7.8AI score0.0071EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/23 1:43 a.m.8 views

CVE-2023-43805

Nexkey is a fork of Misskey, an open source, decentralized social media platform. Prior to version 12.121.9, incomplete URL validation can allow users to bypass authentication for access to the job queue dashboard. Version 12.121.9 contains a fix for this issue. As a workaround, it may be possibl...

7.5CVSS7.1AI score0.00645EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/22 6:14 a.m.14 views

CVE-2019-1020010

Misskey before 10.102.4 allows hijacking a user's token...

6.1CVSS6.9AI score0.01263EPSS
Exploits1References1
Veracode
Veracode
added 2025/05/12 6:17 a.m.8 views

Redirect Filter Bypass

@misskey-dev/summaly is vulnerable to Redirect Filter Bypass. The vulnerability is due to a logic error in the summaly function that prevents the allowRedirects option from being passed, which allows an attacker to force the library to follow unintended redirects...

6.1CVSS6.5AI score0.00218EPSS
Exploits0References3Affected Software1
RedhatCVE
RedhatCVE
added 2025/05/07 7:14 p.m.15 views

CVE-2025-46340

Misskey is an open source, federated social media platform. Starting in version 12.0.0 and prior to version 2025.4.1, due to an oversight in the validation performed in UrlPreviewService and MkUrlPreview, it is possible for an attacker to inject arbitrary CSS into the MkUrlPreview component...

7.2CVSS7.1AI score0.00214EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/07 7:14 p.m.20 views

CVE-2025-46559

Misskey is an open source, federated social media platform. Starting in version 12.31.0 and prior to version 2025.4.1, missing validation in Mk:api allows malicious AiScript code to access additional endpoints that it isn't designed to have access to. The missing validation allows malicious...

7.5CVSS7AI score0.0037EPSS
Exploits1References1
NVD
NVD
added 2025/05/05 7:15 p.m.12 views

CVE-2025-46553

@misskey-dev/summaly is a tool for getting a summary of a web page. Starting in version 3.0.1 and prior to version 5.2.1, a logic error in the main summaly function causes the allowRedirects option to never be passed to any plugins, and as a result, isn't enforced. Misskey will follow redirects,...

6.1CVSS0.00218EPSS
Exploits0References2
NVD
NVD
added 2025/05/05 7:15 p.m.12 views

CVE-2025-46559

Misskey is an open source, federated social media platform. Starting in version 12.31.0 and prior to version 2025.4.1, missing validation in Mk:api allows malicious AiScript code to access additional endpoints that it isn't designed to have access to. The missing validation allows malicious...

7.5CVSS0.0037EPSS
Exploits1References2
NVD
NVD
added 2025/05/05 7:15 p.m.16 views

CVE-2025-46340

Misskey is an open source, federated social media platform. Starting in version 12.0.0 and prior to version 2025.4.1, due to an oversight in the validation performed in UrlPreviewService and MkUrlPreview, it is possible for an attacker to inject arbitrary CSS into the MkUrlPreview component...

7.2CVSS0.00214EPSS
Exploits0References2
CVE
CVE
added 2025/05/05 6:38 p.m.54 views

CVE-2025-46559

CVE-2025-46559 is a Misskey directory traversal vulnerability. In Misskey versions 12.31.0 through 2025.4.0, missing validation in Mk:api lets AiScript prefix a URL with ".." to escape the /api path, enabling requests to endpoints such as /files, /url, and /proxy. The issue is fixed in version 20...

7.5CVSS5.5AI score0.0037EPSS
Exploits1References2Affected Software1
Rows per page
Query Builder