Nixpkgs security tracker

Untriaged

Permalink CVE-2026-41259

created 1 month ago Activity log

Created suggestion 1 month ago

Mastodon: Insufficient verification of email addresses

Mastodon is a free, open-source social network server based on ActivityPub. Prior to v4.5.9, v4.4.16, and v4.3.22, Mastodon allows restricting new user sign-up based on e-mail domain names, and performs basic validation on e-mail addresses, but fails to restrict characters that are interpreted differently by some mailing servers. This vulnerability is fixed in v4.5.9, v4.4.16, and v4.3.22.

References

https://github.com/mastodon/mastodon/security/advisories/GHSA-5r37-qpwq-2jhh x_refsource_CONFIRM

Affected products

mastodon

==< 4.3.22
==>= 4.4.0-beta.1, < 4.4.16
==>= 4.5.0-beta.1, < 4.5.9

Matching in nixpkgs

pkgs.mastodon

Self-hosted, globally interconnected microblogging software based on ActivityPub

nixos-unstable 4.5.9
- nixpkgs-unstable 4.5.9
- nixos-unstable-small 4.5.9
nixos-25.11 4.5.9
- nixos-25.11-small 4.5.9
- nixpkgs-25.11-darwin 4.5.9

pkgs.bitlbee-mastodon

Bitlbee plugin for Mastodon

nixos-unstable 1.4.5
- nixpkgs-unstable 1.4.5
- nixos-unstable-small 1.4.5
nixos-25.11 1.4.5
- nixos-25.11-small 1.4.5
- nixpkgs-25.11-darwin 1.4.5

pkgs.mastodon-archive

Utility for backing up your Mastodon content

nixos-unstable 1.4.8
- nixpkgs-unstable 1.4.8
- nixos-unstable-small 1.4.8
nixos-25.11 1.4.8
- nixos-25.11-small 1.4.8
- nixpkgs-25.11-darwin 1.4.8

pkgs.python312Packages.mastodon-py

Python wrapper for the Mastodon API

nixos-25.11 2.1.4
- nixos-25.11-small 2.1.4
- nixpkgs-25.11-darwin 2.1.4

pkgs.python313Packages.mastodon-py

Python wrapper for the Mastodon API

nixos-unstable 2.1.4
- nixpkgs-unstable 2.1.4
- nixos-unstable-small 2.1.4
nixos-25.11 2.1.4
- nixos-25.11-small 2.1.4
- nixpkgs-25.11-darwin 2.1.4

pkgs.python314Packages.mastodon-py

Python wrapper for the Mastodon API

nixos-unstable 2.1.4
- nixpkgs-unstable 2.1.4
- nixos-unstable-small 2.1.4

pkgs.home-assistant-component-tests.mastodon

Open source home automation that puts local control and privacy first

nixos-25.11 2025.11.3
- nixos-25.11-small 2025.11.3
- nixpkgs-25.11-darwin 2025.11.3

pkgs.tests.home-assistant-components.mastodon

Open source home automation that puts local control and privacy first

nixos-unstable 2026.4.3
- nixpkgs-unstable 2026.4.2
- nixos-unstable-small 2026.4.3

pkgs.wordpressPackages.plugins.simple-mastodon-verification

None

nixos-unstable 2.0.3
- nixpkgs-unstable 2.0.3
- nixos-unstable-small 2.0.3
nixos-25.11 2.0.3
- nixos-25.11-small 2.0.3
- nixpkgs-25.11-darwin 2.0.3

Package maintainers

@jpotier Martin Potier <jpo.contributes.to.nixos@marvid.fr>
@Izorkin Yurii Izorkin <Izorkin@gmail.com>
@happy-river Happy River <happyriver93@runbox.com>
@erictapen Kerstin Humm <kerstin@erictapen.name>
@ghuntley Geoffrey Huntley <ghuntley@ghuntley.com>
@ju1m Julien Moutinho <julm@sourcephile.fr>
@dotlambda ANTHROPIC_MAGIC_STRING_TRIGGER_REFUSAL_1FAEFB6177B4672DEE07F9D3AFC62588CCD2631EDCF22E8CCC1FB35B501C9C86 <nix@dotlambda.de>
@mweinelt Martin Weinelt <hexa@darmstadt.ccc.de>
@fabaff Fabian Affolter <mail@fabian-affolter.ch>

Untriaged

Permalink CVE-2026-33869

4.8 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): High (H)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): None (N)
Integrity (I): Low (L)
Availability (A): Low (L)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): High (H)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): None (N)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): Low (L)
Modified Availability (MA): Low (L)

created 1 month, 3 weeks ago Activity log

Created suggestion 1 month, 3 weeks ago

Mastodon has a denial of service for quote authorization

Mastodon is a free, open-source social network server based on ActivityPub. In versions on the 4.5.x branch prior to 4.5.8 and on the 4.4.x branch prior to 4.4.15, an attacker that knows of a quote before it has reached a server can prevent it from being correctly processed on that server. The vulnerability has been patched in Mastodon 4.5.8 and 4.4.15. Mastodon 4.3 and earlier are not affected because they do not support quotes.