CVE-2026-25808

EUVD-2026-6393
Hollo is a federated single-user microblogging software designed to be federated through ActivityPub. Prior to 0.6.20 and 0.7.2, there is a security vulnerability where DMs and followers-only posts were exposed through the ActivityPub outbox endpoint without authorization. This vulnerability is fixed in 0.6.20 and 0.7.2.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
fedifyhollo
0.6.0 ≤
𝑥
< 0.6.20
fedifyhollo
0.7.0 ≤
𝑥
< 0.7.2
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/fedify-dev/hollo/commit/329969c502ef092d5c3f9c2c20421c34f4ff0f0e
https://github.com/fedify-dev/hollo/releases/tag/0.6.20
https://github.com/fedify-dev/hollo/releases/tag/0.7.2
https://github.com/fedify-dev/hollo/security/advisories/GHSA-6r2w-3pcj-v4v5