CVE-2026-33868 in Mastodoninformação

Sumário (Inglês)

Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.8, 4.4.15, and 4.3.21, an unauthenticated Open Redirect vulnerability (CWE-601) exists in the `/web/*` route due to improper handling of URL-encoded path segments. An attacker can craft a specially encoded URL that causes the application to redirect users to an arbitrary external domain, enabling phishing attacks and potential OAuth credential theft. The issue occurs because URL-encoded slashes (`%2F`) bypass Rails path normalization and are interpreted as host-relative redirects. Versions 4.5.8, 4.4.15, and 4.3.21 patch the issue.

Responsável

GitHub_M

Reservar

24/03/2026

Divulgação

27/03/2026

Inscrições

VulDB provides additional information and datapoints for this CVE:

ID	Vulnerabilidade	CWE	Exp	Con	CVE
354023	Mastodon URL web Redirect	601	Não definido	Correção oficial	CVE-2026-33868

Descrição

CPE

CWE

CVSS

Explorações

História

Diferença

Relacionar

Inteligência de ameaças

API JSON

API XML

API CSV

◂ VoltarVisão GeralPróximo ▸

Do you need the next level of professionalism?

Upgrade your account now!