CVE-2026-48028
MEDIUMDescription
Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, Mastodon's normalization of incoming activities signed with Linked-Data Signatures does not sufficiently protect the activities from a certain class of spoofing, allowing threat actors to remove JSON entries from valid signed activities from a third-party actor. This vulnerability is fixed in 4.5.10, 4.4.17, and 4.3.23.
CVSS v3.1 Score
EPSS — Exploit Prediction
EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.
Weakness Type (CWE)
References
Frequently Asked Questions
What is CVE-2026-48028? +
How severe is CVE-2026-48028? +
How do I check if I'm vulnerable to CVE-2026-48028? +
Related Vulnerabilities
A security issue exists within 1769 CompactLogix controllers due to the missing validation of sequence numbers and source IP addresses …
Netskope has identified a potential gap in its agent (Netskope Client) in which a malicious insider can potentially tamper the …
secp256k1-node is a Node.js binding for an Optimized C library for EC operations on curve secp256k1. In `elliptic`-based version, `loadUncompressedPublicKey` …
An insufficient validation of an untrusted input vulnerability in Palo Alto Networks Prisma® Browser allows a locally authenticated non-admin user …
In LiteSpeed QUIC (LSQUIC) Library before 4.0.4, DCID validation is mishandled.
Improper Validation of Integrity Check Value vulnerability in Sharp Display Solutions projectors allows a attacker may create and run unauthorized …