Mastodon Security Vulnerabilities and Issues — Mastodon CVE List

Lucene search

JoinmastodonMastodon

5 matches found

CVE•added 2024/10/03 6:15 p.m.•65 views

CVE-2024-34535

In Mastodon 4.1.6, API endpoint rate limiting can be bypassed by setting a crafted HTTP request header.

5.9CVSS6.5AI score0.00266EPSS

CVE•added 2022/05/24 4:15 a.m.•64 views

CVE-2022-31263

app/models/user.rb in Mastodon before 3.5.0 allows a bypass of e-mail restrictions.

5.3CVSS5.3AI score0.00224EPSS

CVE•added 2025/02/27 6:15 p.m.•55 views

CVE-2025-27399

Mastodon is a self-hosted, federated microblogging platform. In versions prior to 4.1.23, 4.2.16, and 4.3.4, when the visibility for domain blocks/reasons is set to "users" (localized English string: "To logged-in users"), users that are not yet approved can view the block reasons. Instance admins ...

5.3CVSS5.3AI score0.00059EPSS

CVE•added 2025/02/27 5:15 p.m.•34 views

CVE-2025-27157

Mastodon is a self-hosted, federated microblogging platform. Starting in version 4.2.0 and prior to versions 4.2.16 and 4.3.4, the rate limits are missing on /auth/setup. Without those rate limits, an attacker can craft requests that will send an email to an arbitrary addresses. Versions 4.2.16 and...

5.3CVSS5.3AI score0.00085EPSS

CVE•added 2023/07/06 8:15 p.m.•27 views

CVE-2023-36462

Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 2.6.0 and prior to versions 3.5.9, 4.0.5, and 4.1.3, an attacker can craft a verified profile link using specific formatting to conceal arbitrary parts of the link, enabling it to appear to link to a dif...

5.4CVSS5.8AI score0.01525EPSS