📦 Misskey

This vulnerability in Misskey allows attackers to forge ActivityPub objects by manipulating the relationship between 'id' and 'url' fields, bypassing authorization checks. It affects all Misskey insta...

This vulnerability in Misskey allows attackers to create fake user profiles and forged notes that appear to originate from different instances or users. Attackers can fully control these spoofed objec...

This vulnerability in Misskey allows third-party applications to access endpoints or Websocket APIs without proper user permission due to incorrect 'kind' or 'secure' specifications. It enables unauth...

This vulnerability in Misskey allows arbitrary users to impersonate any remote user due to missing signature validation in the decentralized social media platform. All Misskey instances running vulner...

This CVE describes a CSS injection vulnerability in Misskey's URL preview functionality. Attackers can inject arbitrary CSS to create fake error messages that could deceive users into revealing creden...

Misskey versions 12.109.0 through 2025.2.0-alpha.0 fail to delete authentication tokens from cookies after logout, allowing session persistence. This primarily affects users who log in from shared or ...

This CSRF vulnerability in Misskey's Bull dashboard allows attackers to perform unauthorized actions by tricking authenticated users into submitting malicious requests. It affects Misskey instances ru...

This vulnerability in Misskey allows attackers to spoof signed ActivityPub activity objects by exploiting improper JSON normalization. Attackers can impersonate legitimate users and post content as th...

CVE-2024-25636 is a content-type validation vulnerability in Misskey that allows account takeover through ActivityPub protocol exploitation. Attackers can impersonate legitimate users on remote server...

This vulnerability allows unauthenticated users to bypass authentication for the Bull dashboard job queue management interface in Misskey by editing URLs. This affects all Misskey instances running ve...

This CVE describes a cross-site scripting (XSS) vulnerability in Misskey's URL preview function. Attackers can execute arbitrary JavaScript when users load malicious URLs in the 'View in Player' or 'V...

This vulnerability allows attackers to execute arbitrary JavaScript code in victims' browsers by exploiting improper URL validation in Misskey's ActivityPub implementation. It affects all Misskey inst...

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in Misskey's 'Upload from URL' and remote attachment features. Attackers can exploit this to make the server send requests to inte...

This vulnerability in Misskey allows unauthorized users to export and view posts from favorites or clips they shouldn't have access to. It affects Misskey instances running versions from 13.0.0-beta.1...

This vulnerability allows attackers to bypass IP-based rate limiting in Misskey by forging X-Forwarded-For headers. It affects Misskey instances running versions 2025.9.1 through 2025.11.1 with defaul...

This vulnerability in Misskey allows malicious AiScript code to bypass API endpoint restrictions by using directory traversal sequences (../) to access unauthorized endpoints like /files, /url, and /p...

This vulnerability in Misskey allows attackers to create fake user profiles that appear to belong to different federated instances, enabling impersonation of legitimate users. Attackers can fully cont...

This vulnerability in Misskey allows attackers to manipulate 'origin' links in notes and user profiles to point to arbitrary HTTPS URLs, even on different domains. This enables phishing attacks where ...