EUVD-2023-56872

Malicious code in bioql PyPI...

CVE-2025-53941 Hollo renders posts received with form elements and allows submission

Hollo is a federated single-user microblogging software designed to be federated through ActivityPub. Versions prior to 0.6.5 allow HTML form elements to be submitted, making the software vulnerable to HTML injection. Version 0.6.5 fixes the issue...

CVE-2025-25306 Misskey's Incomplete Patch of CVE-2024-52591 Leads to Forgery of Federated Notes

Misskey is an open source, federated social media platform. The patch for CVE-2024-52591 did not sufficiently validate the relation between the id and url fields of ActivityPub objects. An attacker can forge an object where they claim authority in the url field even if the specific ActivityPub...

Server-Side Request Forgery (SSRF) in activitypub_federation

Summary This vulnerability allows a user to bypass any predefined hardcoded URL path or security anti-Localhost mechanism and perform an arbitrary GET request to any Host, Port and URL using a Webfinger Request. Details The Webfinger endpoint takes a remote domain for checking accounts as a...

PT-2023-25773 · WordPress · Activitypub

Name of the Vulnerable Software and Affected Versions: ActivityPub WordPress plugin versions prior to 1.0.0 Description: The issue allows any authenticated user to retrieve the title of arbitrary posts, including drafts and private ones, via an IDOR vector. This occurs because the plugin does not...