Skip to main content

Mastodon EUVDEUVD-2026-39060

| CVE-2026-50129 HIGH
Uncaught Exception (CWE-248)
2026-06-24 GitHub_M
7.5
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Remotely reachable via federation with no auth or interaction and low complexity; impact is availability-only (uncaught-exception crash), so C:N/I:N/A:H.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Patch available
Jun 24, 2026 - 22:03 EUVD
Analysis Generated
Jun 24, 2026 - 20:50 vuln.today

DescriptionCVE.org

Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.11, 4.4.18, and 4.3.24, a DoS can be triggered by (Uncaught Exception vulerability), due to missing exception handling in the math sanitizer. Malformed <math> nodes can result in a DoS of a whole server or targeted users services, depending on the type of action that includes the malformed nodes and the services interacting with it. This vulnerability is fixed in 4.5.11, 4.4.18, and 4.3.24.

AnalysisAI

Denial of service in Mastodon affects all self-hosted instances prior to 4.5.11, 4.4.18, and 4.3.24, where the math content sanitizer fails to handle exceptions raised while processing malformed <math> nodes (MathML). A remote attacker can craft content containing broken math markup that propagates an uncaught exception, crashing whole-server services or disrupting service for targeted users depending on which component processes the malformed node. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify reachable Mastodon instance
Delivery
Craft malformed <math> MathML node
Exploit
Deliver via federation or post
Execution
Sanitizer raises uncaught exception
Impact
Service crashes, denying availability

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target run an unpatched Mastodon (below 4.5.11 / 4.4.18 / 4.3.24) and that the malformed `<math>`/MathML content reach a service that invokes the math sanitizer - which occurs through normal federated or user-submitted content paths, so no special non-default feature toggle is needed. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, 7.5) is internally consistent with a remotely reachable, no-authentication, no-interaction availability attack and accurately reflects the federated, network-exposed nature of Mastodon. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker operating or controlling any federating ActivityPub instance posts or sends content containing a deliberately malformed `<math>` node, then directs it at a victim Mastodon server or a specific user on it. When the victim server's sanitizer processes the node, the uncaught exception crashes the handling service, denying service to the targeted user or the whole instance. …
Remediation Vendor-released patch: upgrade to Mastodon 4.5.11, 4.4.18, or 4.3.24 (whichever matches your branch) per the advisory at https://github.com/mastodon/mastodon/security/advisories/GHSA-qrgq-9fx2-vf2r. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Mastodon instances and determine current versions in use. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2022-46405 HIGH POC
7.5 Dec 04

Mastodon through 4.0.2 allows attackers to cause a denial of service (large Sidekiq pull queue) by creating bot accounts

CVE-2024-25618 HIGH POC
7.4 Feb 14

Mastodon is a free, open-source social network server based on ActivityPub. Rated high severity (CVSS 7.4), this vulnera

CVE-2023-28853 MEDIUM POC
6.5 Apr 04

Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for aut

CVE-2023-36460 CRITICAL
9.9 Jul 06

Mastodon is a free, open-source social network server based on ActivityPub. Rated critical severity (CVSS 9.9), this vul

CVE-2024-23832 CRITICAL
9.8 Feb 01

Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for aut

CVE-2022-2166 CRITICAL
9.8 Nov 16

Improper Restriction of Excessive Authentication Attempts in GitHub repository mastodon/mastodon prior to 4.0.0. Rated c

CVE-2026-46348 HIGH
8.7 Jun 24

Server-Side Request Forgery in Mastodon before 4.5.10, 4.4.17, and 4.3.23 lets attackers coerce the server into issuing

CVE-2026-47389 HIGH
8.6 Jun 24

Server-side request forgery in Mastodon (versions before 4.5.10, 4.4.17, and 4.3.23) lets an attacker who controls autho

CVE-2026-27468 HIGH
8.2 Feb 24

Unauthenticated attackers can bypass FASP administrator approval in Mastodon 4.4.0-4.4.13 and 4.5.0-4.5.6 to subscribe t

CVE-2026-41259 HIGH
8.2 Apr 23

Mastodon is a free, open-source social network server based on ActivityPub. Prior to v4.5.9, v4.4.16, and v4.3.22, Masto

CVE-2024-37903 HIGH
8.2 Jul 05

Mastodon is a self-hosted, federated microblogging platform. Rated high severity (CVSS 8.2), this vulnerability is remot

CVE-2024-25623 HIGH
7.7 Feb 19

Mastodon is a free, open-source social network server based on ActivityPub. Rated high severity (CVSS 7.7), this vulnera

Share

EUVD-2026-39060 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy