CVE-2026-23962

CVSS v3.1

7.5

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions Mastodon versions prior to 4.3.18 Mastodon versions prior to 4.4.12 Mastodon versions prior to 4.5.5

Description Mastodon is a free, open-source social network server based on ActivityPub. Versions of Mastodon prior to 4.3.18, 4.4.12, and 4.5.5 do not limit the maximum number of poll options for remote posts. This allows attackers to create polls with a very large number of options, which can significantly increase resource consumption. An attacker can cause disproportionate resource usage in both Mastodon servers and clients, potentially leading to a Denial of Service, either server-side or client-side.

Recommendations Update to Mastodon version 4.3.18 or later. Update to Mastodon version 4.4.12 or later. Update to Mastodon version 4.5.5 or later.

Exploit

Fix

DoS

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-770

Related Identifiers

BIT-MASTODON-2026-23962

CVE-2026-23962

GHSA-GG8Q-RCG7-P79G

Affected Products

Mastodon

CVE-2026-23962

Weakness Enumeration

Related Identifiers

Affected Products

References · 14