7 matches found
CVE-2026-48028 Mastodon: Removal of integrity-protected JSON entries from signed activities
Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, Mastodon's normalization of incoming activities signed with Linked-Data Signatures does not sufficiently protect the activities from a certain class of spoofing, allowing threat actors...
CVE-2026-46349
CVE-2026-46349 affects Mastodon before versions 4.5.10, 4.4.17, and 4.3.23. The issue arises from Mastodon’s normalization of incoming activities signed with Linked-Data Signatures, which does not sufficiently prevent a class of spoofing. An attacker could re-arrange a valid signed JSON-LD activi...
CVE-2026-42462 Fedify has an LD-Signature Bypass via JSON-LD Named-Graph Restructuring
Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3, an attacker can make use of JSON-LD features to restructure a JSON-LD document that would change how Fedify interprets it without changing its...
CVE-2026-42462 Fedify has an LD-Signature Bypass via JSON-LD Named-Graph Restructuring
Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3, an attacker can make use of JSON-LD features to restructure a JSON-LD document that would change how Fedify interprets it without changing its...
EUVD-2026-36127
Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3, an attacker can make use of JSON-LD features to restructure a JSON-LD document that would change how Fedify interprets it without changing its...
CVE-2026-42462
CVE-2026-42462 describes an LD-Signature bypass in Fedify caused by JSON-LD named-graph restructuring. The issue allows an attacker to reorganize a signed JSON-LD payload (via features like @graph, @reverse, @included) in a way that changes how the signed ActivityPub activity is interpreted witho...
PT-2026-43443
Name of the Vulnerable Software and Affected Versions Fedify versions prior to 1.9.11 Fedify versions prior to 1.10.10 Fedify versions prior to 2.0.18 Fedify versions prior to 2.1.14 Fedify versions prior to 2.2.3 Description An attacker can utilize JSON-LD features to restructure a JSON-LD...