8 matches found
CVE-2026-46349
Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, Mastodon's normalization of incoming activities signed with Linked-Data Signatures does not sufficiently protect the activities from a certain class of spoofing, allowing attackers to...
CVE-2026-48028
Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, Mastodon's normalization of incoming activities signed with Linked-Data Signatures does not sufficiently protect the activities from a certain class of spoofing, allowing threat actors...
CVE-2026-50128
Mastodon vulnerability CVE-2026-50128 affects versions 4.3.0 through 4.5.11 and 4.4.18, where an error in the attributionDomains JSON-LD handling allows an attacker to arbitrarily modify the attributionDomains value on a legitimately signed Update and bypass signature verification. This can under...
CVE-2026-50128 Mastodon: Spoofing of attribution domains
Mastodon is a free, open-source social network server based on ActivityPub. From 4.3.0 until 4.5.11 and 4.4.18, Mastodon has a feature to let websites credit authors of their articles. To prevent false attribution claims, Mastodon uses the attributionDomains JSON-LD term, however, an error in how...
CVE-2026-50128
Mastodon is a free, open-source social network server based on ActivityPub. From 4.3.0 until 4.5.11 and 4.4.18, Mastodon has a feature to let websites credit authors of their articles. To prevent false attribution claims, Mastodon uses the attributionDomains JSON-LD term, however, an error in how...
CVE-2026-48028
Mastodon (open-source social network server) versions prior to 4.5.10, 4.4.17, and 4.3.23 are affected. The vulnerability arises from how incoming activities signed with Linked-Data Signatures are normalized, failing to adequately protect against a class of spoofing that lets an attacker remove J...
Insufficient Verification of Data Authenticity
Overview laravel/reverb is a provider of a real-time WebSocket communication backend for Laravel applications. Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity through the verification of API signatures. An attacker can manipulate the API by sendi...
USN-6138-1: libssh vulnerabilities
Philip Turnbull discovered that libssh incorrectly handled rekeying with algorithm guessing. A remote attacker could use this issue to cause libssh to crash, resulting in a denial of service, or possibly execute arbitrary code. CVE-2023-1667 Kevin Backhouse discovered that libssh incorrectly...