CVE-2026-33869

EUVD-2026-16785
Mastodon is a free, open-source social network server based on ActivityPub. In versions on the 4.5.x branch prior to 4.5.8 and on the 4.4.x branch prior to 4.4.15, an attacker that knows of a quote before it has reached a server can prevent it from being correctly processed on that server. The vulnerability has been patched in Mastodon 4.5.8 and 4.4.15. Mastodon 4.3 and earlier are not affected because they do not support quotes.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.8 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 17%
Affected Products (NVD)
VendorProductVersion
joinmastodonmastodon
4.4.0 ≤
𝑥
< 4.4.15
joinmastodonmastodon
4.5.0 ≤
𝑥
< 4.5.8
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/mastodon/mastodon/security/advisories/GHSA-q4g8-82c5-9h33