SSRF in Mastodon
CVE-2026-46348
Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, the list of disallowed IP address ranges was lacking an IP address range that can be used to reach local IP addresses. An atta…
Vulnerability class: SSRF (Server-Side Request Forgery)
Affected products
- Mastodon — versions >= 4.5.0-beta.1, < 4.5.10
Weakness classification (CWE)
References
- security-advisories@github.com (x_refsource_CONFIRM)