CVE-2026-42462
CVE-2026-42462 is a high-severity vulnerability with a CVSS 3.x base score of 7.0. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-180.
Key facts
- Severity: High (CVSS 3.x base score 7.0)
- EPSS exploit prediction: 0% (7th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-36127
- Weakness: CWE-180
- Published:
- Last modified:
Description
Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3, an attacker can make use of JSON-LD features to restructure a JSON-LD document that would change how Fedify interprets it without changing its Linked Data Signature, allowing them to alter a third-party signed activity they have received. Versions 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3 fix the issue.
Frequently asked questions
- What is CVE-2026-42462?
- Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3, an attacker can make use of JSON-LD features to restructure a JSON-LD document that would change how Fedify interprets it without changing its Linked Data Signature, allowing them to alter a third-party signed activity they have received. Versions 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3 fix the issue.
- How severe is CVE-2026-42462?
- CVE-2026-42462 has a CVSS 3.x base score of 7.0, rated high severity. It is exploitable over network with high attack complexity, requires no privileges and no user interaction. Impact on confidentiality is low, integrity high, and availability low.
- Is CVE-2026-42462 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (7th percentile), an estimate of the probability of exploitation in the next 30 days.
- How do I fix CVE-2026-42462?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- Does CVE-2026-42462 have an EU (EUVD) identifier?
- Yes. CVE-2026-42462 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-36127.
- When was CVE-2026-42462 published?
- CVE-2026-42462 was published on 2026-06-10 and last updated on 2026-06-17.
References
- https://github.com/fedify-dev/fedify/releases/tag/2.2.3
- https://github.com/fedify-dev/fedify/security/advisories/GHSA-9rfg-v8g9-9367
Other CWE-180 vulnerabilities
- CVE-2026-24895 — Critical (CVSS 9.8): FrankenPHP is a modern application server for PHP. Prior to 1.11.2, FrankenPHP’s CGI path splitting logic improperly…
- CVE-2026-48721 — High (CVSS 8.6): Warp is an agentic development environment. From 0.2025.10.08.08.12.stable_00 until 0.2026.05.06.15.42.stable_01, Warp…
- CVE-2026-45022 — High (CVSS 7.5): go-git is an extensible git implementation library written in pure Go. Prior to 5.19.0 and 6.0.0-alpha.3, go-git may…
- CVE-2026-39364 — High (CVSS 7.5): Vite is a frontend tooling framework for JavaScript. From 7.1.0 to before 7.3.2 and 8.0.5, on the Vite dev server,…
- CVE-2025-43716 — Medium (CVSS 5.8): A directory traversal vulnerability exists in Ivanti LANDesk Management Gateway through 4.2-1.9. By appending %3F.php…
- CVE-2025-33194 — Medium (CVSS 5.7): NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause improper processing of…