Strix
26.1K

CVE-2026-23963

MEDIUMCVSS 6.5/10EPSS 0.30%

Last modified

CVE-2026-23963 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.5, 4.4.12, and 4.3.18, the server does not enforce a maximum length for the names of lists or filters, or for filter keywords, allowing any user to set an arbitrarily long string as the name or keyword. EPSS estimates a 0.30% chance of exploitation in the next 30 days.

Description

Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.5, 4.4.12, and 4.3.18, the server does not enforce a maximum length for the names of lists or filters, or for filter keywords, allowing any user to set an arbitrarily long string as the name or keyword. Any local user can abuse the list or filter fields to cause disproportionate storage and computing resource usage. They can additionally cause their own web interface to be unusable, although they must intentionally do this to themselves or unknowingly approve a malicious API client. Mastodon versions v4.5.5, v4.4.12, v4.3.18 are patched.

Metrics

CVSS 3.1
6.5/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS Probability
0.30%

21.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
JoinmastodonMastodon< 4.3.18
JoinmastodonMastodon>= 4.4.0, < 4.4.12
JoinmastodonMastodon>= 4.5.0, < 4.5.5

References

Timeline

Published
Last Modified
Status
Analyzed

Frequently Asked Questions

What is CVE-2026-23963?
Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.5, 4.4.12, and 4.3.18, the server does not enforce a maximum length for the names of lists or filters, or for filter keywords, allowing any user to set an arbitrarily long string as the name or keyword. Any local user can abuse the list or filter fields to cause disproportionate storage and computing resource usage. They can additionally cause their own web interface to be unusable, although they must intentionally do this to themselves or unknowingly approve a malicious API client. Mastodon versions v4.5.5, v4.4.12, v4.3.18 are patched.
How severe is CVE-2026-23963?
CVE-2026-23963 has a CVSS score of 6.5/10 (MEDIUM severity). The EPSS model estimates a 0.30% probability of exploitation in the next 30 days.
How do I fix CVE-2026-23963?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2026-23963?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST