CVE-2026-41259

Summary

Mastodon is a free, open-source social network server based on ActivityPub. Prior to v4.5.9, v4.4.16, and v4.3.22, Mastodon allows restricting new user sign-up based on e-mail domain names, and performs basic validation on e-mail addresses, but fails to restrict characters that are interpreted differently by some mailing servers. This vulnerability is fixed in v4.5.9, v4.4.16, and v4.3.22.

Affected Software

VendorProductVersion RangeStatus
mastodonmastodon< 4.3.22affected
mastodonmastodon>= 4.4.0-beta.1, < 4.4.16affected
mastodonmastodon>= 4.5.0-beta.1, < 4.5.9affected

Weaknesses

  • CWE-841: CWE-841: Improper Enforcement of Behavioral Workflow

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References