CVE-2026-41259

EUVD-2026-25282
Mastodon is a free, open-source social network server based on ActivityPub. Prior to v4.5.9, v4.4.16, and v4.3.22, Mastodon allows restricting new user sign-up based on e-mail domain names, and performs basic validation on e-mail addresses, but fails to restrict characters that are interpreted differently by some mailing servers. This vulnerability is fixed in v4.5.9, v4.4.16, and v4.3.22.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 17%
Affected Products (NVD)
VendorProductVersion
joinmastodonmastodon
𝑥
< 4.3.22
joinmastodonmastodon
4.4.0 ≤
𝑥
< 4.4.16
joinmastodonmastodon
4.5.0 ≤
𝑥
< 4.5.9
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/mastodon/mastodon/security/advisories/GHSA-5r37-qpwq-2jhh