What is CVE-2026-25540?

CVE-2026-25540 is a medium-severity vulnerability in Mastodon, classified under Use of Cache Containing Sensitive Information. CVSS score: 6.5/10. Published 2026-02-04.

How severe is CVE-2026-25540?

Medium severity. CVSS v3 base score is 6.5 out of 10.

Vulnerability in Mastodon

CVE-2026-25540

Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.3.19, 4.4.13, 4.5.6, Mastodon is vulnerable to web cache poisoning via `Rails.cache. When AUTHORIZED_FETCH is enabled, the ActivityPub endpoint…

EPSS: 0.000 (7.2th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 6.5 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L.

Affected products

Mastodon — versions < 4.3.19, < 4.4.13, < 4.5.6

Weakness classification (CWE)

CWE-524 — Use of Cache Containing Sensitive Information

References

https://github.com/mastodon/mastodon/security/advisories/GHSA-ccpr-m53r-mfwr (x_refsource_CONFIRM)

Frequently asked questions

What is CVE-2026-25540?: CVE-2026-25540 is a medium-severity vulnerability in Mastodon, classified under Use of Cache Containing Sensitive Information. CVSS score: 6.5/10. Published 2026-02-04.
How severe is CVE-2026-25540?: Medium severity. CVSS v3 base score is 6.5 out of 10.