Every CVE whose affected-product data names Joinmastodon Mastodon, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (42)
CVE-2023-36460 — CVSS 9.9 (critical): Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 3.5.0 and prior to versions 3.5.9, 4.0.5…
CVE-2022-2166 — CVSS 9.8 (critical): Improper Restriction of Excessive Authentication Attempts in GitHub repository mastodon/mastodon prior to 4.0.0.
CVE-2022-24307 — CVSS 9.8 (critical): Mastodon before 3.3.2 and 3.4.x before 3.4.6 has incorrect access control because it does not compact incoming signed JSON-LD activities…
CVE-2024-23832 — CVSS 9.4 (critical): Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Due to…
CVE-2023-36459 — CVSS 9.3 (critical): Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 1.3 and prior to versions 3.5.9, 4.0.5, and…
CVE-2024-25623 — CVSS 8.5 (high): Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.2.7, 4.1.15, 4.0.15, and 3.5.19, when…
CVE-2024-37903 — CVSS 8.2 (high): Mastodon is a self-hosted, federated microblogging platform. Starting in version 2.6.0 and prior to versions 4.1.18 and 4.2.10, by crafting…
CVE-2026-27468 — CVSS 8.2 (high): Mastodon is a free, open-source social network server based on ActivityPub. FASP registration requires manual approval by an administrator…
CVE-2023-28853 — CVSS 7.7 (high): Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication…
CVE-2023-36461 — CVSS 7.5 (high): Mastodon is a free, open-source social network server based on ActivityPub. When performing outgoing HTTP queries, Mastodon sets a timeout…
CVE-2022-46405 — CVSS 7.5 (high): Mastodon through 4.0.2 allows attackers to cause a denial of service (large Sidekiq pull queue) by creating bot accounts that follow…
CVE-2023-49952 — CVSS 7.5 (high): Mastodon 4.1.x before 4.1.17 and 4.2.x before 4.2.9 allows a bypass of rate limiting via a crafted HTTP request header.
CVE-2026-22245 — CVSS 7.5 (high): Mastodon is a free, open-source social network server based on ActivityPub. By nature, Mastodon performs a lot of outbound requests to…
CVE-2026-23962 — CVSS 7.5 (high): Mastodon is a free, open-source social network server based on ActivityPub. Mastodon versions before v4.3.18, v4.4.12, and v4.5.5 do not…
CVE-2026-41259 — CVSS 7.5 (high): Mastodon is a free, open-source social network server based on ActivityPub. Prior to v4.5.9, v4.4.16, and v4.3.22, Mastodon allows…
CVE-2023-42451 — CVSS 7.4 (high): Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 3.5.14, 4.0.10, 4.1.8, and 4.2.0-rc2, under…
CVE-2026-22246 — CVSS 6.5 (medium): Mastodon is a free, open-source social network server based on ActivityPub. Mastodon 4.3 added notifications of severed relationships…
CVE-2026-25540 — CVSS 6.5 (medium): Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.3.19, 4.4.13, 4.5.6, Mastodon is vulnerable…
CVE-2026-23964 — CVSS 6.5 (medium): Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.5, 4.4.12, and 4.3.18, an insecure direct…
CVE-2023-42452 — CVSS 6.1 (medium): Mastodon is a free, open-source social network server based on ActivityPub. In versions on the 4.x branch prior to versions 4.0.10, 4.2.8…
CVE-2024-34535 — CVSS 5.9 (medium): In Mastodon 4.1.6, API endpoint rate limiting can be bypassed by setting a crafted HTTP request header.
CVE-2026-27477 — CVSS 5.9 (medium): Mastodon is a free, open-source social network server based on ActivityPub. FASP registration requires manual approval by an administrator…
CVE-2023-36462 — CVSS 5.4 (medium): Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 2.6.0 and prior to versions 3.5.9, 4.0.5…
CVE-2023-42450 — CVSS 5.4 (medium): Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 4.2.0-beta1 and prior to version 4.2.0-rc2…
CVE-2026-23961 — CVSS 5.3 (medium): Mastodon is a free, open-source social network server based on ActivityPub. Mastodon allows server administrators to suspend remote users…
CVE-2025-27399 — CVSS 5.3 (medium): Mastodon is a self-hosted, federated microblogging platform. In versions prior to 4.1.23, 4.2.16, and 4.3.4, when the visibility for domain…
CVE-2025-27157 — CVSS 5.3 (medium): Mastodon is a self-hosted, federated microblogging platform. Starting in version 4.2.0 and prior to versions 4.2.16 and 4.3.4, the rate…
CVE-2025-54879 — CVSS 5.3 (medium): Mastodon is a free, open-source social network server based on ActivityPub Mastodon which facilitates LDAP configuration for…
CVE-2026-33869 — CVSS 4.8 (medium): Mastodon is a free, open-source social network server based on ActivityPub. In versions on the 4.5.x branch prior to 4.5.8 and on the 4.4.x…
CVE-2025-62175 — CVSS 4.3 (medium): Mastodon is a free, open-source social network server based on ActivityPub. In versions before 4.4.6, 4.3.14, and 4.2.27, disabling or…
CVE-2025-62176 — CVSS 4.3 (medium): Mastodon is a free, open-source social network server based on ActivityPub. In Mastodon before 4.4.6, 4.3.14, and 4.2.27, the streaming…
CVE-2025-62605 — CVSS 4.3 (medium): Mastodon is a free, open-source social network server based on ActivityPub. In Mastodon version 4.4, support for verifiable quote posts…
CVE-2026-33868 — CVSS 4.3 (medium): Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.8, 4.4.15, and 4.3.21, an unauthenticated…
CVE-2026-23963 — CVSS 4.3 (medium): Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.5, 4.4.12, and 4.3.18, the server does…
CVE-2022-48364 — CVSS 4.3 (medium): The undo_mark_statuses_as_sensitive method in app/services/approve_appeal_service.rb in Mastodon 3.5.x before 3.5.3 does not use the…
CVE-2024-25618 — CVSS 4.2 (medium): Mastodon is a free, open-source social network server based on ActivityPub. Mastodon allows new identities from configured authentication…
CVE-2025-67500 — CVSS 3.7 (low): Mastodon is a free, open-source social network server based on ActivityPub. Versions 4.2.27 and prior, 4.3.0-beta.1 through 4.3.14…
CVE-2025-62174 — CVSS 3.5 (low): Mastodon is a free, open-source social network server based on ActivityPub. In Mastodon before 4.4.6, 4.3.14, and 4.2.27, when an…
CVE-2024-25619 — CVSS 3.1 (low): Mastodon is a free, open-source social network server based on ActivityPub. When an OAuth Application is destroyed, the streaming server…