MEDIUMπŸ‡΅πŸ‡± Wersja polska

CVE-2026-25540

CVSS 6.5v3.1pub. 2026-02-04upd. 2026-02-20

Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.3.19, 4.4.13, 4.5.6, Mastodon is vulnerable to web cache poisoning via `Rails.cache. When AUTHORIZED_FETCH is enabled, the ActivityPub endpoints for pinned posts and featured hashtags have contents that depend on the account that signed the HTTP request. However, these contents are stored in an internal cache and reused with no regards to the signing actor. As a result, an empty response generated for a blocked user account may be served to requests from legitimate non-blocked actors, or conversely, content intended for non-blocked actors may be returned to blocked actors. This issue has been patched in versions 4.3.19, 4.4.13, 4.5.6.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
  • Joinmastodon Mastodon

    APP
    Joinmastodon
    < 4.3.194.4.0 – 4.4.13 (bez)4.5.0 – 4.5.6 (bez)
πŸ”΅
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-23832CRITICAL9.4PL βœ“ten sam produkt

Mastodon: Podszywanie siΔ™ pod zdalne konta poprzez brak walidacji origin

CVE-2023-36459CRITICAL9.3ten sam produkt

Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 1.3 and prior ...

CVE-2023-36460CRITICAL9.9ten sam produkt

Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 3.5.0 and prio...

CVE-2022-2166CRITICAL9.8ten sam produkt

Improper Restriction of Excessive Authentication Attempts in GitHub repository mastodon/mastodon prior to 4.0....

CVE-2022-24307CRITICAL9.8ten sam produkt

Mastodon before 3.3.2 and 3.4.x before 3.4.6 has incorrect access control because it does not compact incoming...

CVE-2026-25540 β€” Joinmastodon β€” Mastodon β€” MEDIUM β€” CVSS 6.5 | CVEbaza.pl