CVE-2026-42462

CVE-2026-42462 describes an LD-Signature bypass in Fedify caused by JSON-LD named-graph restructuring. The issue allows an attacker to reorganize a signed JSON-LD payload (via features like @graph, @reverse, @included) in a way that changes how the signed ActivityPub activity is interpreted witho...

GHSA-9RFG-V8G9-9367 Fedify has an LD-Signature Bypass via JSON-LD Named-Graph Restructuring

As told on Discord earlier, multiple projects are affected, and we would like to coordinate. For now, we are aiming at a May 6th release date, but this is not set in stone yet. Summary An attacker can make use of JSON-LD features to restructure a JSON-LD document that would change how Fedify...

EUVD-2026-16785

Mastodon is a free, open-source social network server based on ActivityPub. In versions on the 4.5.x branch prior to 4.5.8 and on the 4.4.x branch prior to 4.4.15, an attacker that knows of a quote before it has reached a server can prevent it from being correctly processed on that server. The...

EUVD-2026-5329

Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.3.19, 4.4.13, 4.5.6, Mastodon is vulnerable to web cache poisoning via Rails.cache. When AUTHORIZEDFETCH is enabled, the ActivityPub endpoints for pinned posts and featured hashtags have contents that...

EUVD-2025-34111

Mastodon is a free, open-source social network server based on ActivityPub. In Mastodon before 4.4.6, 4.3.14, and 4.2.27, the streaming server accepts serving events for public timelines to clients using any valid authentication token, even if those tokens lack the read:statuses scope. This allow...

CVE-2025-38437

creationtimestamp| type| source ---|---|--- 2025-07-25 16:24:10+00:00| seen| https://bsky.app/profile/2rZiKKbOU3nTafniR2qMMSE0gwZ.activitypub.awakari.com.ap.brid.gy/post/3lushifr47hx2 2026-03-19 00:00:00+00:00| seen| https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0316/...

CVE-2025-5646

creationtimestamp| type| source ---|---|--- 2025-06-05 08:47:29+00:00| seen| https://bsky.app/profile/FunctionalProgramming.activitypub.awakari.com.ap.brid.gy/post/3lqtwoot3hzv2 2025-06-05 11:22:43+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3lqu7ekpprg2s...

CVE-2025-5643

creationtimestamp| type| source ---|---|--- 2025-06-05 07:55:56+00:00| seen| https://bsky.app/profile/2rZiKKbOU3nTafniR2qMMSE0gwZ.activitypub.awakari.com.ap.brid.gy/post/3lqttpw3onps2 2025-06-05 10:46:18+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3lqu5dg2pcf2m...

CVE-2025-5620

creationtimestamp| type| source ---|---|--- 2025-06-05 00:07:27+00:00| seen| https://bsky.app/profile/2rZiKKbOU3nTafniR2qMMSE0gwZ.activitypub.awakari.com.ap.brid.gy/post/3lqszmnitnsw2...

CVE-2025-5604

creationtimestamp| type| source ---|---|--- 2025-06-04 20:06:24+00:00| seen| https://bsky.app/profile/FunctionalProgramming.activitypub.awakari.com.ap.brid.gy/post/3lqsm3svj6dk2...

CVE-2025-5499

creationtimestamp| type| source ---|---|--- 2025-06-03 14:53:00+00:00| seen| https://bsky.app/profile/2rZiKKbOU3nTafniR2qMMSE0gwZ.activitypub.awakari.com.ap.brid.gy/post/3lqpk5waorip2...

CVE-2025-4435

creationtimestamp| type| source ---|---|--- 2025-06-03 14:03:09+00:00| seen| https://bsky.app/profile/2rZiKKbOU3nTafniR2qMMSE0gwZ.activitypub.awakari.com.ap.brid.gy/post/3lqphcvccuqj2 2025-06-03 15:59:30+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3lqpnvmqodk2s 2025-06-09...

CVE-2025-48996

creationtimestamp| type| source ---|---|--- 2025-06-02 20:37:42+00:00| seen| https://bsky.app/profile/2rZiKKbOU3nTafniR2qMMSE0gwZ.activitypub.awakari.com.ap.brid.gy/post/3lqnmxvlqxrc2 2025-06-03 00:42:18+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3lqo2nkdcel2e...

CVE-2025-48387

creationtimestamp| type| source ---|---|--- 2025-06-02 20:00:25+00:00| published-proof-of-concept| Telegram/M9ruxIqfssiRmufIiVDPBVG9309mAKgr9KyLQBBOZAkMKU 2025-06-02 20:37:43+00:00| seen| https://bsky.app/profile/2rZiKKbOU3nTafniR2qMMSE0gwZ.activitypub.awakari.com.ap.brid.gy/post/3lqnmxx4dtgv2...

CVE-2025-20678

creationtimestamp| type| source ---|---|--- 2025-06-02 04:05:46+00:00| seen| https://bsky.app/profile/2rZiKKbOU3nTafniR2qMMSE0gwZ.activitypub.awakari.com.ap.brid.gy/post/3lqlvjyvabm62 2025-06-02 04:38:34+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3lqlxf3wy3z2k 2025-06-02...

CVE-2025-26396

creationtimestamp| type| source ---|---|--- 2025-06-02 03:00:00+00:00| seen| http://www.zerodayinitiative.com/advisories/ZDI-25-320/ 2025-06-02 13:27:58+00:00| seen| https://bsky.app/profile/2rZiKKbOU3nTafniR2qMMSE0gwZ.activitypub.awakari.com.ap.brid.gy/post/3lqmurtdkd6e2 2025-06-02 14:00:51+00:0...

CVE-2025-5367

creationtimestamp| type| source ---|---|--- 2025-05-31 01:45:15+00:00| seen| https://bsky.app/profile/2rZiKKbOU3nTafniR2qMMSE0gwZ.activitypub.awakari.com.ap.brid.gy/post/3lqgmr3lqucy2 2025-05-31 06:02:17+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3lqh34xgzj42e...

CVE-2024-42190

creationtimestamp| type| source ---|---|--- 2025-05-30 16:29:08+00:00| seen| https://bsky.app/profile/2rZiKKbOU3nTafniR2qMMSE0gwZ.activitypub.awakari.com.ap.brid.gy/post/3lqfnom5xinh2 2025-05-30 20:01:43+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3lqfzl2xy6h2m...

CVE-2025-44612

creationtimestamp| type| source ---|---|--- 2025-05-30 02:41:31+00:00| seen| https://bsky.app/profile/2rZiKKbOU3nTafniR2qMMSE0gwZ.activitypub.awakari.com.ap.brid.gy/post/3lqe7gsn64p52 2025-05-30 06:06:50+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3lqekw6x4fu2m...

CVE-2025-30087

creationtimestamp| type| source ---|---|--- 2025-05-28 18:24:36+00:00| seen| https://bsky.app/profile/2rZiKKbOU3nTafniR2qMMSE0gwZ.activitypub.awakari.com.ap.brid.gy/post/3lqat7ccgwur2...