Strix
26.1K

CVE-2026-23962

HIGHCVSS 7.5/10EPSS 0.49%

Last modified

CVE-2026-23962 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. Mastodon is a free, open-source social network server based on ActivityPub. Mastodon versions before v4.3.18, v4.4.12, and v4.5.5 do not have a limit on the maximum number of poll options for remote posts, allowing attackers to create polls with a very large amount of options, greatly increasing resource consumption. EPSS estimates a 0.49% chance of exploitation in the next 30 days.

Description

Mastodon is a free, open-source social network server based on ActivityPub. Mastodon versions before v4.3.18, v4.4.12, and v4.5.5 do not have a limit on the maximum number of poll options for remote posts, allowing attackers to create polls with a very large amount of options, greatly increasing resource consumption. Depending on the number of poll options, an attacker can cause disproportionate resource usage in both Mastodon servers and clients, potentially causing Denial of Service either server-side or client-side. Mastodon versions v4.5.5, v4.4.12, v4.3.18 are patched.

Metrics

CVSS 3.1
7.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Probability
0.49%

38.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
JoinmastodonMastodon< 4.3.18
JoinmastodonMastodon>= 4.4.0, < 4.4.12
JoinmastodonMastodon>= 4.5.0, < 4.5.5

References

Timeline

Published
Last Modified
Status
Analyzed

Frequently Asked Questions

What is CVE-2026-23962?
Mastodon is a free, open-source social network server based on ActivityPub. Mastodon versions before v4.3.18, v4.4.12, and v4.5.5 do not have a limit on the maximum number of poll options for remote posts, allowing attackers to create polls with a very large amount of options, greatly increasing resource consumption. Depending on the number of poll options, an attacker can cause disproportionate resource usage in both Mastodon servers and clients, potentially causing Denial of Service either server-side or client-side. Mastodon versions v4.5.5, v4.4.12, v4.3.18 are patched.
How severe is CVE-2026-23962?
CVE-2026-23962 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 0.49% probability of exploitation in the next 30 days.
How do I fix CVE-2026-23962?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2026-23962?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST