Home > Vulnerability Database > CVE-2026-23962

Mend.io Vulnerability Database

CVE-2026-23962

Good to know:

Date: January 21, 2026

Mastodon is a free, open-source social network server based on ActivityPub. Mastodon versions before v4.3.18, v4.4.12, and v4.5.5 do not have a limit on the maximum number of poll options for remote posts, allowing attackers to create polls with a very large amount of options, greatly increasing resource consumption. Depending on the number of poll options, an attacker can cause disproportionate resource usage in both Mastodon servers and clients, potentially causing Denial of Service either server-side or client-side. Mastodon versions v4.5.5, v4.4.12, v4.3.18 are patched.

Severity Score

7.5

Related Resources (6)

Url: https://github.com/mastodon/mastodon/releases/tag/v4.3.18

Url: https://github.com/mastodon/mastodon/security/advisories/GHSA-gg8q-rcg7-p79g

Url: https://github.com/mastodon/mastodon/releases/tag/v4.5.5

Url: https://github.com/mastodon/mastodon/releases/tag/v4.4.12

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-23962

Url: https://www.mend.io/vulnerability-database/CVE-2026-23962

Severity Score

7.5

Weakness Type (CWE)

Allocation of Resources Without Limits or Throttling

CWE-770

Top Fix

Upgrade Version

Upgrade to version https://github.com/mastodon/mastodon.git - v4.5.5;https://github.com/mastodon/mastodon.git - v4.4.12;https://github.com/mastodon/mastodon.git - v4.3.18

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2026-23962

Good to know:

Date: January 21, 2026

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?