QwikSec

Security Database

CVE

CWE

Training

CVE-2026-23962

Published: Jan 22, 2026

Modified: Jan 22, 2026

PUBLISHED

CVSS v3.1

7.5

HIGH

Description

Mastodon is a free, open-source social network server based on ActivityPub. Mastodon versions before v4.3.18, v4.4.12, and v4.5.5 do not have a limit on the maximum number of poll options for remote posts, allowing attackers to create polls with a very large amount of options, greatly increasing resource consumption. Depending on the number of poll options, an attacker can cause disproportionate resource usage in both Mastodon servers and clients, potentially causing Denial of Service either server-side or client-side. Mastodon versions v4.5.5, v4.4.12, v4.3.18 are patched.

Vendor	Product	Versions
mastodon	mastodon	affected `< 4.3.18` affected `>= 4.4.0, < 4.4.12` affected `>= 4.5.0, < 4.5.5`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

References

https://github.com/mastodon/mastodon/security/advisories/GHSA-gg8q-rcg7-p79g

x_refsource_CONFIRM

https://github.com/mastodon/mastodon/releases/tag/v4.3.18

x_refsource_MISC

https://github.com/mastodon/mastodon/releases/tag/v4.4.12

x_refsource_MISC

https://github.com/mastodon/mastodon/releases/tag/v4.5.5

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.