📦 Mastodon

This vulnerability in Mastodon's LDAP authentication allows attackers to impersonate and take over any remote account due to insufficient origin validation. All Mastodon instances using LDAP authentic...

This vulnerability allows attackers to inject arbitrary HTML into Mastodon oEmbed preview cards by bypassing HTML sanitization. When users click on malicious links with crafted oEmbed data, cross-site...

Mastodon instances running vulnerable versions have incorrect access control due to improper handling of signed JSON-LD activities. This allows attackers to bypass intended access restrictions and pot...

Mastodon servers running vulnerable versions allow attackers to create remote posts with unlimited poll options, causing excessive resource consumption. This can lead to denial of service on both serv...

Mastodon's IP address filtering mechanism had incomplete coverage, allowing attackers to bypass protections against local network requests. This enables Server-Side Request Forgery (SSRF) attacks wher...

This CVE describes an authorization bypass vulnerability in Mastodon where attackers can craft specific activities to extend the audience of posts they don't own, gaining unauthorized access to privat...

This vulnerability in Mastodon allows attackers to spoof domains they don't own by exploiting flaws in domain name normalization. This could enable impersonation attacks, phishing, or unauthorized acc...

This vulnerability in Mastodon allows malicious servers to perform slowloris-type attacks by extending HTTP response durations indefinitely. This can exhaust all Mastodon workers, making the server un...

This vulnerability allows attackers to perform LDAP injection attacks on Mastodon instances configured with LDAP authentication. By manipulating login queries, attackers can extract arbitrary attribut...

This vulnerability allows unauthenticated attackers to register FASP accounts with attacker-controlled base URLs that point to internal systems, forcing Mastodon servers to make HTTP(S) requests to in...

Mastodon servers with AUTHORIZED_FETCH enabled are vulnerable to web cache poisoning where ActivityPub endpoints for pinned posts and featured hashtags incorrectly reuse cached responses regardless of...

Mastodon servers prior to patched versions allow users to set arbitrarily long names for lists/filters and filter keywords, enabling resource exhaustion attacks. Any authenticated user can exploit thi...

This CVE describes an insecure direct object reference vulnerability in Mastodon's web push subscription update endpoint. Authenticated users can tamper with other users' push notification settings by...

This CVE describes a logic error in Mastodon's user suspension feature that allows posts from suspended remote users to appear in timelines. All Mastodon versions are affected by occasional display of...

This vulnerability in Mastodon allows any registered local user to access lists of severed relationships (lost followers/followed users) from moderation events without authorization. The leaked inform...

This vulnerability allows attackers to bypass quote controls in Mastodon by reblogging a post and then quoting their own reblog, effectively quoting content they weren't authorized to quote. This affe...

Mastodon's streaming server incorrectly allows OAuth clients with valid authentication tokens to subscribe to public timeline events even when those tokens lack the required read:statuses scope. This ...

Mastodon servers running vulnerable versions allow disabled or suspended user accounts to maintain real-time streaming API connections, receiving updates despite being blocked from other interactions....

This vulnerability allows attackers to bypass email confirmation rate limits in Mastodon by rotating IP addresses, enabling them to send unlimited confirmation emails to any email address. This can le...

Mastodon instances with domain block visibility set to 'users' (logged-in users) inadvertently expose block reasons to unapproved users. This affects instance administrators who want to keep domain bl...

This vulnerability in Mastodon allows attackers to confirm the existence of private statuses by sending requests with non-English Accept-Language headers. While it doesn't reveal content or other prop...