CVE-2026-23963

CVSS v3.1

6.5

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions Mastodon versions prior to 4.5.5 Mastodon versions prior to 4.4.12 Mastodon versions prior to 4.3.18

Description Mastodon, a free and open-source social network server based on ActivityPub, does not limit the length of names for lists or filters, or for filter keywords. This allows a user to set an excessively long string as a name or keyword, potentially causing disproportionate storage and computing resource usage. A user can render their own web interface unusable, though this requires intentional action or approval of a malicious API client.

Recommendations Update to Mastodon version 4.5.5 or later. Update to Mastodon version 4.4.12 or later. Update to Mastodon version 4.3.18 or later.

Exploit

Fix

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-770

Related Identifiers

BIT-MASTODON-2026-23963

CVE-2026-23963

GHSA-6X3W-9G92-GVF3

Affected Products

Mastodon

CVE-2026-23963

Weakness Enumeration

Related Identifiers

Affected Products

References · 13