tootsuite mastodon Vulnerabilities: CVEs, CISA KEV & Security Advisories

Severity and exploitation

How the CVSS severity of tootsuite mastodon's CVEs breaks down, plus how many are exploited in the wild or have public exploit code.

Critical4

High10

Medium19

Low3

In CISA’s Known Exploited Vulnerabilities catalog

None of tootsuite mastodon's CVEs are currently listed in CISA's KEV catalog.

Public exploits

6 of tootsuite mastodon's CVEs have a known public exploit available.

Affected versions and CVEs

Browse every tootsuite mastodon version named in a CVE, then pick one to see only the CVEs that affect it.

Specific versions

v4.4.015 CVEs
v4.4.115 CVEs
v4.4.215 CVEs
v4.0.014 CVEs
v4.0.114 CVEs
v4.0.214 CVEs
v4.1.014 CVEs
v4.4.314 CVEs
v4.4.414 CVEs
v4.4.514 CVEs
v4.1.0rc113 CVEs
v4.1.0rc213 CVEs
v4.1.0rc313 CVEs
v4.1.111 CVEs
v4.4.611 CVEs
v4.4.711 CVEs
v4.1.210 CVEs
v4.4.810 CVEs
v4.4.910 CVEs
v4.5.010 CVEs
v4.5.110 CVEs
v4.5.210 CVEs
v3.5.09 CVEs
v3.5.19 CVEs
v3.5.29 CVEs
v4.0.39 CVEs
v4.2.09 CVEs
v4.2.0-beta19 CVEs
v4.2.19 CVEs
v4.2.29 CVEs
v4.2.39 CVEs
v4.2.49 CVEs
v4.4.109 CVEs
v4.5.39 CVEs
v2.6.08 CVEs
v2.6.18 CVEs
v2.7.08 CVEs
v2.7.0rc18 CVEs
v2.7.0rc28 CVEs
v2.7.0rc38 CVEs
v2.7.18 CVEs
v2.8.08 CVEs
v2.8.0rc18 CVEs
v2.8.0rc28 CVEs
v2.8.0rc38 CVEs
v2.8.18 CVEs
v2.8.28 CVEs
v2.9.08 CVEs
v2.9.0rc18 CVEs
v2.9.0rc28 CVEs
v2.9.18 CVEs
v2.9.28 CVEs
v3.0.08 CVEs
v3.0.0rc18 CVEs
v3.0.0rc28 CVEs
v3.0.0rc38 CVEs
v3.0.18 CVEs
v3.1.08 CVEs
v3.1.0rc18 CVEs
v3.1.0rc28 CVEs
v3.1.18 CVEs
v3.1.28 CVEs
v3.1.38 CVEs
v3.1.48 CVEs
v3.2.08 CVEs
v3.2.0rc18 CVEs
v3.2.0rc28 CVEs
v3.3.08 CVEs
v3.3.0rc18 CVEs
v3.3.0rc28 CVEs
v3.3.0rc38 CVEs
v3.4.08 CVEs
v3.4.0rc18 CVEs
v3.4.0rc28 CVEs
v3.4.18 CVEs
v3.5.0rc18 CVEs
v3.5.0rc28 CVEs
v3.5.0rc38 CVEs
v3.5.38 CVEs
v4.0.0rc18 CVEs
v4.0.48 CVEs
v4.2.58 CVEs
v4.3.08 CVEs
v4.3.18 CVEs
v4.3.28 CVEs
v4.3.38 CVEs
v4.0.0rc27 CVEs
v4.0.0rc37 CVEs
v4.0.0rc47 CVEs
v4.4.117 CVEs
v4.5.47 CVEs
v2.5.06 CVEs
v2.6.0rc16 CVEs
v2.6.0rc26 CVEs
v2.6.0rc36 CVEs
v2.6.0rc46 CVEs
v4.1.106 CVEs
v4.1.116 CVEs
v4.1.126 CVEs
v4.1.36 CVEs
v4.1.46 CVEs
v4.1.56 CVEs
v4.1.66 CVEs
v4.1.76 CVEs
v4.1.86 CVEs
v4.1.96 CVEs
v4.2.0-beta26 CVEs
v4.2.0-beta36 CVEs
v4.2.0-rc16 CVEs
v4.2.0-rc26 CVEs
v4.2.66 CVEs
v4.3.106 CVEs
v4.3.46 CVEs
v4.3.56 CVEs
v4.3.66 CVEs
v4.3.76 CVEs
v4.3.86 CVEs
v4.3.96 CVEs
v1.35 CVEs
v1.3.15 CVEs
v1.3.25 CVEs
v1.4.15 CVEs
v1.4.25 CVEs
v1.4.35 CVEs
v1.4.45 CVEs
v1.4.55 CVEs
v1.4.65 CVEs
v1.4.75 CVEs
v1.4rc15 CVEs
v1.4rc25 CVEs
v1.4rc35 CVEs
v1.4rc45 CVEs
v1.4rc55 CVEs
v1.4rc65 CVEs
v1.5.05 CVEs
v1.5.0rc15 CVEs
v1.5.0rc25 CVEs
v1.5.0rc35 CVEs
v1.5.15 CVEs
v1.6.05 CVEs
v1.6.0rc15 CVEs
v1.6.0rc25 CVEs
v1.6.0rc35 CVEs
v1.6.0rc45 CVEs
v1.6.0rc55 CVEs
v1.6.15 CVEs
v2.0.05 CVEs
v2.0.0rc15 CVEs
v2.0.0rc25 CVEs
v2.0.0rc35 CVEs
v2.0.0rc45 CVEs
v2.1.05 CVEs
v2.1.0rc15 CVEs
v2.1.0rc25 CVEs
v2.1.0rc35 CVEs
v2.1.0rc45 CVEs
v2.1.0rc55 CVEs
v2.1.0rc65 CVEs
v2.1.15 CVEs
v2.1.25 CVEs
v2.1.35 CVEs
v2.2.05 CVEs
v2.2.0rc15 CVEs
v2.2.0rc25 CVEs
v2.3.05 CVEs
v2.3.0rc15 CVEs
v2.3.0rc25 CVEs
v2.3.0rc35 CVEs
v2.3.15 CVEs
v2.3.1rc15 CVEs
v2.3.1rc25 CVEs
v2.3.1rc35 CVEs
v2.3.25 CVEs
v2.3.2rc15 CVEs
v2.3.2rc25 CVEs
v2.3.2rc35 CVEs
v2.3.2rc45 CVEs
v2.3.2rc55 CVEs
v2.4.05 CVEs
v2.4.0rc15 CVEs
v2.4.0rc25 CVEs
v2.4.0rc35 CVEs
v2.4.0rc45 CVEs
v2.4.0rc55 CVEs
v2.4.15 CVEs
v2.4.1rc15 CVEs
v2.4.1rc25 CVEs
v2.4.1rc35 CVEs
v2.4.1rc45 CVEs
v2.4.25 CVEs
v2.4.2rc15 CVEs
v2.4.2rc25 CVEs
v2.4.2rc35 CVEs
v2.4.35 CVEs
v2.4.3rc15 CVEs
v2.4.3rc25 CVEs
v2.4.3rc35 CVEs
v2.5.0rc15 CVEs
v2.5.0rc25 CVEs
v3.5.45 CVEs
v3.5.55 CVEs
v4.1.135 CVEs
v4.2.75 CVEs
v4.2.85 CVEs
v4.3.115 CVEs
v4.3.125 CVEs
v4.3.135 CVEs
v0.1.04 CVEs
v0.1.14 CVEs
v0.1.24 CVEs
v0.64 CVEs
v0.74 CVEs
v0.84 CVEs
v0.94 CVEs
v0.9.94 CVEs
v1.04 CVEs
v1.14 CVEs
v1.1.14 CVEs
v1.1.24 CVEs
v1.24 CVEs
v1.2.14 CVEs
v1.2.24 CVEs
v3.5.64 CVEs
v3.5.74 CVEs
v4.0.104 CVEs
v4.0.114 CVEs
v4.0.124 CVEs
v4.0.54 CVEs
v4.0.64 CVEs
v4.0.74 CVEs
v4.0.84 CVEs
v4.0.94 CVEs
v3.5.83 CVEs
v4.0.133 CVEs
v4.1.143 CVEs
v4.2.93 CVEs
v4.4.123 CVEs
v4.5.53 CVEs
v4.1.152 CVEs
v4.1.162 CVEs
v4.2.102 CVEs
v4.2.112 CVEs
v4.2.122 CVEs
v4.2.132 CVEs
v4.2.142 CVEs
v4.2.152 CVEs
v4.3.0-beta.12 CVEs
v4.3.0-beta.22 CVEs
v4.3.0-rc.12 CVEs
v4.3.142 CVEs
v4.4.132 CVEs
v4.5.62 CVEs
v4.0.141 CVE
v4.1.171 CVE
v4.3.151 CVE
v4.3.161 CVE

Fixed in

0d5781ca7609590a6d5340bb685bb1804056bb464 CVEs
8d7f6550f91338fb69e5c6e0cd286531227846654 CVEs
b10c974ba1952c545acff505bfd36feb0c60b0004 CVEs
cbb10858555d3cbfde24d52859e2d690526c81734 CVEs
db943c43c8fe834a0db6e87c020783ecf42476a94 CVEs
fa553d848417ffe48f23794f7b798b87eb57477f4 CVEs
6dee9a12d2c2c3671ad9f4bc035f050a7c9549c53 CVEs
956ac0e3389457b58995312c599d735b0c7f00be3 CVEs
d7f4eca801bb702f487287eb218a9e7a133ee3413 CVEs
004f3aa2356e64a463feff26dda3ed41547ed7182 CVEs
015858aef749b39e0a0ac662c8022ea0bf23b456

Find a version

36 CVEs

Sort

Mastodon has SSRF via unvalidated FASP Provider base_url
CVE-2026-27477
Patch
CWE-918
Medium · CVSS 4.6
EPSS 0.1% (22th pct)2026-02-24
Mastodon may allow unconfirmed FASP to make subscriptions
CVE-2026-27468
Patch
CWE-862
Medium · CVSS 4.8
EPSS 0.1% (19th pct)2026-02-24
Mastodon's signature-dependent ActivityPub collection responses cached under signature-independent keys (Web Cache Poisoning via `Rails.cache`)
CVE-2026-25540
Patch
CWE-524
Medium · CVSS 6.5
EPSS 0.0% (7th pct)2026-02-04
Mastodon has insufficient access control to push notification settings
CVE-2026-23964
Patch
CWE-863
Medium · CVSS 6.5
EPSS 0.1% (21th pct)2026-01-22
Mastodon missing length limits on list names, filter names, and filter keywords
CVE-2026-23963
Patch
CWE-770
Medium · CVSS 4.3
EPSS 0.1% (29th pct)2026-01-22
Mastodon vulnerable to Denial of Service from a single post (client/server)
CVE-2026-23962
Patch
CWE-770
High · CVSS 7.5
EPSS 0.1% (18th pct)2026-01-22
Mastodon may allow a remote suspension bypass
CVE-2026-23961
Patch
CWE-863
Medium · CVSS 5.3
EPSS 0.0% (8th pct)2026-01-22
Local Mastodon users can enumerate and access severed relationships of every other local user
CVE-2026-22246
Patch
CWE-201
Medium · CVSS 6.5
EPSS 0.1% (22th pct)2026-01-08
Mastodon has SSRF Protection bypass
CVE-2026-22245
Patch
CWE-918
High · CVSS 7.1
EPSS 0.1% (21th pct)2026-01-08
Mastodon Error Handling Discrepancy Enables Private Status Existence Enumeration
CVE-2025-67500
Patch
CWE-204
Low · CVSS 3.7
EPSS 0.0% (13th pct)2025-12-09
Mastodon quotes control can be bypassed
CVE-2025-62605
Patch
CWE-754
Medium · CVSS 4.3
EPSS 0.1% (16th pct)2025-10-21
Mastadon streaming server allows OAuth clients without the `read` scope to subscribe to public channels
CVE-2025-62176
Patch
CWE-280
Medium · CVSS 4.3
EPSS 0.1% (24th pct)2025-10-13
Mastodon streaming API fails to disconnect disabled and suspended users
CVE-2025-62175
Patch
CWE-274
Medium · CVSS 4.3
EPSS 0.1% (19th pct)2025-10-13
Mastodon allows continued access after password reset via CLI
CVE-2025-62174
Patch
CWE-613
Low · CVSS 3.5
EPSS 0.0% (14th pct)2025-10-13
Mastodon e‑mail throttle misconfiguration allows unlimited email confirmations against unconfirmed emails
CVE-2025-54879
Public exploit
Patch
CWE-770
Medium · CVSS 5.3
EPSS 0.4% (62th pct)2025-08-05
Mastodon's domain blocks & rationales ignore user approval when visibility set as "users"
CVE-2025-27399
Patch
CWE-200
Medium · CVSS 5.3
EPSS 0.4% (64th pct)2025-02-27
Mastodon's rate-limits are missing on `/auth/setup`
CVE-2025-27157
Patch
CWE-770
Medium · CVSS 5.3
EPSS 0.2% (47th pct)2025-02-27
High vulnerability · 2024-11-18
CVE-2023-49952
Patch
CWE-79
High · CVSS 7.5
EPSS 0.2% (42th pct)2024-11-18
Medium vulnerability · 2024-10-03
CVE-2024-34535
Patch
CWE-444
Medium · CVSS 5.9
EPSS 0.1% (22th pct)2024-10-03
High vulnerability · 2024-07-05
CVE-2024-37903
Patch
CWE-862
High · CVSS 8.2
EPSS 0.8% (75th pct)2024-07-05
High vulnerability · 2024-02-19
CVE-2024-25623
Patch
CWE-434
High · CVSS 8.5
EPSS 0.2% (38th pct)2024-02-19
Low vulnerability · 2024-02-14
CVE-2024-25619
Patch
CWE-613
Low · CVSS 3.1
EPSS 0.4% (59th pct)2024-02-14
Medium vulnerability · 2024-02-14
CVE-2024-25618
Public exploit
Patch
CWE-287
Medium · CVSS 4.2
EPSS 0.4% (60th pct)2024-02-14
Critical vulnerability · 2024-02-01
CVE-2024-23832
Patch
CWE-290
Critical · CVSS 9.4
EPSS 1.8% (83th pct)2024-02-01
Medium vulnerability · 2023-09-19
CVE-2023-42452
Patch
CWE-79
Medium · CVSS 6.1
EPSS 0.6% (71th pct)2023-09-19
High vulnerability · 2023-09-19
CVE-2023-42451
Patch
CWE-706
High · CVSS 7.4
EPSS 0.3% (55th pct)2023-09-19
Medium vulnerability · 2023-09-19
CVE-2023-42450
Patch
CWE-918
Medium · CVSS 5.4
EPSS 0.4% (60th pct)2023-09-19
Mastodon's verified profile links can be formatted in a misleading way
CVE-2023-36462
Patch
CWE-20
Medium · CVSS 5.4
EPSS 1.6% (82th pct)2023-07-06
Mastodon vulnerable to Denial of Service through slow HTTP responses
CVE-2023-36461
Patch
CWE-770
High · CVSS 7.5
EPSS 0.2% (45th pct)2023-07-06
Critical vulnerability · 2023-07-06
CVE-2023-36460
Patch
CWE-22
Critical · CVSS 10.0
EPSS 44.8% (98th pct)2023-07-06

Showing 30 of 36

Severity and exploitation

tootsuite mastodon Vulnerabilities

Overview

Severity and exploitation

Affected versions and CVEs

Specific versions

Fixed in

Common weakness types

Disclosure activity by year

Other tootsuite products

Frequently asked questions

How many CVEs does tootsuite mastodon have?

How many tootsuite mastodon CVEs are in CISA KEV?

Are there public exploits for tootsuite mastodon vulnerabilities?

Which versions of tootsuite mastodon are affected?

What are the most common weakness types in tootsuite mastodon CVEs?

How many critical tootsuite mastodon vulnerabilities are there?

What is the average severity of tootsuite mastodon CVEs?

References

Track tootsuite mastodon vulnerabilities